chore: update crypto deps

[flavio]

WARNING: this code currently doesn't compile

Update "tons" of cryptographic libraries:

• ecdsa
• ed25519
• p256
• p384
• signature

The majority of these libraries broke their API during the upgrade, hence quite some fixes were needed.

Open issues

The code currently doesn't compile because of these errors:

╰─ cargo check
    Checking sigstore v0.6.0 (/home/flavio/hacking/sigstore/sigstore-rs)
error[E0599]: no method named `verify` found for reference `&ed25519_dalek_fiat::PublicKey` in the current scope
   --> src/crypto/verification_key.rs:314:22
    |
314 |                     .verify(msg, &sig)
    |                      ^^^^^^ method not found in `&ed25519_dalek_fiat::PublicKey`
    |
    = help: items from traits can only be used if the trait is in scope
help: the following trait is implemented but not in scope; perhaps add a `use` for it:
    |
16  | use ed25519_dalek_fiat::Verifier;
    |

error[E0599]: no method named `try_sign` found for struct `ed25519_dalek_fiat::Keypair` in the current scope
   --> src/crypto/signing_key/ed25519.rs:310:48
    |
310 |         let signature = self.key_pair.key_pair.try_sign(msg)?;
    |                                                ^^^^^^^^ method not found in `ed25519_dalek_fiat::Keypair`
    |
   ::: /home/flavio/.cargo/registry/src/github.com-1ecc6299db9ec823/signature-1.6.4/src/signer.rs:24:8
    |
24  |     fn try_sign(&self, msg: &[u8]) -> Result<S, Error>;
    |        -------- the method is available for `ed25519_dalek_fiat::Keypair` here
    |
    = help: items from traits can only be used if the trait is in scope
help: the following trait is implemented but not in scope; perhaps add a `use` for it:
    |
63  | use ed25519_dalek_fiat::Signer;
    |

For more information about this error, try `rustc --explain E0599`.
error: could not compile `sigstore` due to 2 previous errors

The main issue is caused by the ed25519-dalek-fiat crate requiring an older version of the ed25519 crate (this PR switches to v2).

I think we are in trouble, the ed25519-dalek-fiat crate has not been maintained in the last 2 years (no new releases). The company behind it, Novi, ceased to exist on Sept 1, 2022 (note the link is a direct redirect from https://novi.com/).

The ed25519-dalek crate hasn't seen a release in 2 years, but it seems to have some activity on GitHub. Unfortunately, even on the main branch this crate depends on version 1 of ed25519. I've tried to update it, but I ended up in a rabbit hole.

@tarcieri : I see you contributed to ed25519-dalek and you're a maintainer of the majority of these crypto libraries that we're attempting to update. Can you help a bit please?

CC @Xynnn007 who worked on this code

[tarcieri]

Hi there! I can answer some of your questions:

I think we are in trouble, the ed25519-dalek-fiat crate has not been maintained in the last 2 years (no new releases).

The fiat-crypto backend has been upstreamed into curve25519-dalek. Here are instructions for using it with the 4.0.0-release series:

https://github.com/dalek-cryptography/curve25519-dalek/#backends

The ed25519-dalek crate hasn't seen a release in 2 years, but it seems to have some activity on GitHub. Unfortunately, even on the main branch this crate depends on version 1 of ed25519.

The changes you're looking for are on the release/2.0 branch: https://github.com/dalek-cryptography/ed25519-dalek/tree/release/2.0

FWIW, I was able to upgrade the ssh-key crate by pulling curve25519-dalek and ed25519-dalek in via git: https://github.com/RustCrypto/SSH/blob/master/Cargo.toml#L11-L13

Here's a tracking issue to release some prerelease crate versions of curve25519-dalek and ed25519-dalek so you don't need to pull them in via git: dalek-cryptography/ed25519-dalek#274

And here's an overall tracking issue for an ed25519-dalek v2.0 release: dalek-cryptography/ed25519-dalek#245

[flavio]

@tarcieri thanks for the feedback. I tried to switch to the not-yet release of ed25519-dalek but I'm facing some errors.

These are the changes I did to our Cargo.toml:

diff --git a/Cargo.toml b/Cargo.toml
index b725e5dfdc..9f939dbf1e 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -49,7 +49,9 @@ ecdsa = { version = "0.15", features = [ "pkcs8", "digest", "der" ] }
 digest = "0.10.3"
 signature = { version = "2.0" }
 ed25519 = { version = "2", features = [ "alloc" ] }
-ed25519-dalek-fiat = "0.1.0"
+ed25519-dalek = { git = "https://github.com/dalek-cryptography/ed25519-dalek", branch = "release/2.0" }
+
 rsa = "0.8"
 pkcs1 = "0.4.0"
 reqwest = { version = "0.11", default-features = false, features = ["json", "multipart"] }
``

Unfortunately `cargo check` fails immediately because of a dependency/feature issue:

```console
╰─ cargo check
    Updating crates.io index
    Updating git repository `https://github.com/dalek-cryptography/ed25519-dalek`
error: failed to select a version for `curve25519-dalek`.
    ... required by package `ed25519-dalek v1.0.1 (https://github.com/dalek-cryptography/ed25519-dalek?branch=release/2.0#928d6d15)`
    ... which satisfies git dependency `ed25519-dalek` of package `sigstore v0.6.0 (/home/flavio/hacking/sigstore/sigstore-rs)`
versions that meet the requirements `=4.0.0-pre.5` are: 4.0.0-pre.5

the package `ed25519-dalek` depends on `curve25519-dalek`, with features: `precomputed-tables` but `curve25519-dalek` does not have these features.


failed to select a version for `curve25519-dalek` which could resolve this conflict

It looks like ed25519-dalek is requiring some features of curve25519-dalek that do not exist, not even inside of its main branch.

I wonder if I'm doing something stupid, or if that's work a bug opened against ed25519-dalek

[tarcieri]

@flavio that seems like you're pulling curve25519-dalek in via the crate release instead of also via git?

Anyway, there's another forthcoming crate release which should help take care of these problems: dalek-cryptography/curve25519-dalek#501

[tarcieri]

@flavio ed25519-dalek v2.0.0-pre.0 has been released: https://crates.io/crates/ed25519-dalek/2.0.0-pre.0

[flavio]

@tarcieri thanks for the update, now everything seems to be working.

I'm changing this PR from draft to "ready to be reviewed".

Please, please.... take a look at that and make sure I didn't do anything stupid 🙏

[Xynnn007]

Hi @flavio , great to see the updates for the cryptos! When I was working on replace x509-parser to x509-cert to get rid of ring, it was needed to use new version of rsa. Fortunately, I can rebase this PR later.

[Xynnn007]

LGTM, thanks and sorry for the delay. There are still some another test needs to be added as convert_ed25519_subject_public_key_to_cosign_verification_key, which I will add in another PR.