Upgrade ring to 0.16 and jsonwebtoken to 7

Cargo.toml

@@ -43,7 +43,7 @@ http = "0.1"
 hyper = { version = "0.12", optional = true }
 hyperx = { version = "0.12", optional = true }
 jobserver = "0.1"
-jsonwebtoken = { version = "6.0.1", optional = true }
+jsonwebtoken = { version = "7", optional = true }
 lazy_static = "1.0.0"
 libc = "0.2.10"
 local-encoding = "0.2.0"
@@ -59,7 +59,7 @@ redis = { version = "0.15.0", optional = true }
 regex = "1"
 reqwest = { version = "0.9.11", optional = true }
 retry = "0.4.0"
-ring = { version = "0.14.6", optional = true }
+ring = { version = "0.16", optional = true, features = ["std"] }
 sha-1 = { version = "0.8", optional = true }
 sha2 = { version = "0.8", optional = true }
 serde = "1.0"

src/bin/sccache-dist/main.rs

@@ -262,10 +262,11 @@ fn create_jwt_server_token(
     header: &jwt::Header,
     key: &[u8],
 ) -> Result<String> {
-    jwt::encode(&header, &ServerJwt { server_id }, key).map_err(Into::into)
+    let key = jwt::EncodingKey::from_secret(key);
+    jwt::encode(&header, &ServerJwt { server_id }, &key).map_err(Into::into)
 }
-fn dangerous_unsafe_extract_jwt_server_token(server_token: &str) -> Option<ServerId> {
-    jwt::dangerous_unsafe_decode::<ServerJwt>(&server_token)
+fn dangerous_insecure_extract_jwt_server_token(server_token: &str) -> Option<ServerId> {
+    jwt::dangerous_insecure_decode::<ServerJwt>(&server_token)
         .map(|res| res.claims.server_id)
         .ok()
 }
@@ -274,7 +275,8 @@ fn check_jwt_server_token(
     key: &[u8],
     validation: &jwt::Validation,
 ) -> Option<ServerId> {
-    jwt::decode::<ServerJwt>(server_token, key, validation)
+    let key = jwt::DecodingKey::from_secret(key);
+    jwt::decode::<ServerJwt>(server_token, &key, validation)
         .map(|res| res.claims.server_id)
         .ok()
 }
@@ -407,7 +409,7 @@ fn run(command: Command) -> Result<i32> {
                 }
                 server_config::SchedulerAuth::JwtToken { token } => {
                     let token_server_id: ServerId =
-                        dangerous_unsafe_extract_jwt_server_token(&token)
+                        dangerous_insecure_extract_jwt_server_token(&token)
                             .context("Could not decode scheduler auth jwt")?;
                     if token_server_id != server_id {
                         bail!(

src/bin/sccache-dist/token_check.rs

@@ -121,11 +121,11 @@ impl MozillaCheck {
             sub: String,
         }
         // We don't really do any validation here (just forwarding on) so it's ok to unsafely decode
-        let unsafe_token =
-            jwt::dangerous_unsafe_decode::<MozillaToken>(token).context("Unable to decode jwt")?;
-        let user = unsafe_token.claims.sub;
+        let insecure_token = jwt::dangerous_insecure_decode::<MozillaToken>(token)
+            .context("Unable to decode jwt")?;
+        let user = insecure_token.claims.sub;
         trace!("Validating token for user {} with mozilla", user);
-        if UNIX_EPOCH + Duration::from_secs(unsafe_token.claims.exp) < SystemTime::now() {
+        if UNIX_EPOCH + Duration::from_secs(insecure_token.claims.exp) < SystemTime::now() {
             bail!("JWT expired")
         }
         // If the token is cached and not expired, return it
@@ -353,17 +353,18 @@ impl ValidJWTCheck {
         trace!("Validating JWT in scheduler");
         // Prepare validation
         let kid = header.kid.context("No kid found")?;
-        let pkcs1 = self
-            .kid_to_pkcs1
-            .get(&kid)
-            .context("kid not found in jwks")?;
+        let pkcs1 = jwt::DecodingKey::from_rsa_der(
+            self.kid_to_pkcs1
+                .get(&kid)
+                .context("kid not found in jwks")?,
+        );
         let mut validation = jwt::Validation::new(header.alg);
-        validation.set_audience(&self.audience);
+        validation.set_audience(&[&self.audience]);
         validation.iss = Some(self.issuer.clone());
         #[derive(Deserialize)]
         struct Claims {}
         // Decode the JWT, discarding any claims - we just care about validity
-        let _tokendata = jwt::decode::<Claims>(token, pkcs1, &validation)
+        let _tokendata = jwt::decode::<Claims>(token, &pkcs1, &validation)
             .context("Unable to validate and decode jwt")?;
         Ok(())
     }

src/cache/gcs.rs

@@ -298,8 +298,8 @@ fn sign_rsa(
     key: &[u8],
     alg: &'static dyn signature::RsaEncoding,
 ) -> Result<String> {
-    let key_pair = signature::RsaKeyPair::from_pkcs8(untrusted::Input::from(key))
-        .context("failed to deserialize rsa key")?;
+    let key_pair =
+        signature::RsaKeyPair::from_pkcs8(key).context("failed to deserialize rsa key")?;
 
     let mut signature = vec![0; key_pair.public_modulus_len()];
     let rng = ring::rand::SystemRandom::new();

src/dist/http.rs

@@ -609,12 +609,14 @@ mod server {
     impl dist::JobAuthorizer for JWTJobAuthorizer {
         fn generate_token(&self, job_id: JobId) -> Result<String> {
             let claims = JobJwt { job_id };
-            jwt::encode(&JWT_HEADER, &claims, &self.server_key)
+            let key = jwt::EncodingKey::from_secret(&self.server_key);
+            jwt::encode(&JWT_HEADER, &claims, &key)
                 .map_err(|e| anyhow!("Failed to create JWT for job: {}", e))
         }
         fn verify_token(&self, job_id: JobId, token: &str) -> Result<()> {
             let valid_claims = JobJwt { job_id };
-            jwt::decode(&token, &self.server_key, &JWT_VALIDATION)
+            let key = jwt::DecodingKey::from_secret(&self.server_key);
+            jwt::decode(&token, &key, &JWT_VALIDATION)
                 .map_err(|e| anyhow!("JWT decode failed: {}", e))
                 .and_then(|res| {
                     fn identical_t<T>(_: &T, _: &T) {}