From b457d01819c2c2f527f48cdc87ff71d49e94b175 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Wed, 5 Nov 2025 12:45:14 +0000 Subject: [PATCH 1/3] Drop unneeded vec! for test data Triggers new Clippy lint. --- src/cwt/tests.rs | 2 +- src/header/tests.rs | 2 +- src/key/tests.rs | 4 ++-- src/mac/tests.rs | 2 +- src/sign/tests.rs | 20 ++++++++++---------- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/cwt/tests.rs b/src/cwt/tests.rs index 6f8619b..4b74007 100644 --- a/src/cwt/tests.rs +++ b/src/cwt/tests.rs @@ -20,7 +20,7 @@ use alloc::{borrow::ToOwned, vec}; #[test] fn test_cwt_encode() { - let tests = vec![ + let tests = [ ( ClaimsSet { issuer: Some("abc".to_owned()), diff --git a/src/header/tests.rs b/src/header/tests.rs index 7ceb1d4..eb694c2 100644 --- a/src/header/tests.rs +++ b/src/header/tests.rs @@ -20,7 +20,7 @@ use alloc::{borrow::ToOwned, vec}; #[test] fn test_header_encode() { - let tests = vec![ + let tests = [ ( Header { alg: Some(Algorithm::Assigned(iana::Algorithm::A128GCM)), diff --git a/src/key/tests.rs b/src/key/tests.rs index 9ba84ed..e5ae55e 100644 --- a/src/key/tests.rs +++ b/src/key/tests.rs @@ -231,7 +231,7 @@ fn test_cose_key_encode() { fn test_rfc8152_public_cose_key_decode() { // Public keys from RFC8152 section 6.7.1. // Note that map contents have been reordered into canonical order. - let tests = vec![ + let tests = [ ( CoseKeyBuilder::new_ec2_pub_key( iana::EllipticCurve::P_256, @@ -313,7 +313,7 @@ fn test_rfc8152_public_cose_key_decode() { fn test_rfc8152_private_cose_key_decode() { // Private keys from RFC8152 section 6.7.2. // Note that map contents have been reordered into canonical order. - let tests = vec![ + let tests = [ ( CoseKeyBuilder::new_ec2_priv_key( iana::EllipticCurve::P_256, diff --git a/src/mac/tests.rs b/src/mac/tests.rs index d3ae253..26016d7 100644 --- a/src/mac/tests.rs +++ b/src/mac/tests.rs @@ -67,7 +67,7 @@ fn test_cose_mac_decode() { #[test] fn test_cose_mac_decode_fail() { - let tests = vec![ + let tests = [ ( concat!( "a2", // 2-map (should be tuple) diff --git a/src/sign/tests.rs b/src/sign/tests.rs index 0575711..545643f 100644 --- a/src/sign/tests.rs +++ b/src/sign/tests.rs @@ -27,7 +27,7 @@ use alloc::{ #[test] fn test_cose_signature_encode() { - let tests = vec![ + let tests = [ ( CoseSignature::default(), concat!( @@ -125,7 +125,7 @@ fn test_cose_signature_decode_noncanonical() { #[test] fn test_cose_signature_decode_fail() { - let tests = vec![ + let tests = [ ( concat!( "a2", // 2-map @@ -269,7 +269,7 @@ fn test_cose_signature_builder() { #[test] fn test_cose_sign_encode() { - let tests = vec![ + let tests = [ ( CoseSign::default(), concat!( @@ -509,7 +509,7 @@ fn test_cose_sign_decode_fail() { #[test] fn test_cose_sign_tagged_decode_fail() { - let tests = vec![ + let tests = [ ( concat!( "d862", // tag(98) @@ -595,7 +595,7 @@ fn test_cose_sign_tagged_decode_fail() { #[test] fn test_rfc8152_cose_sign_decode() { // COSE_Sign structures from RFC 8152 section C.1. - let tests = vec![ + let tests = [ ( // C.1.1: Single Signature CoseSignBuilder::new() @@ -757,7 +757,7 @@ fn test_rfc8152_cose_sign_decode() { #[test] fn test_cose_sign1_encode() { - let tests = vec![ + let tests = [ ( CoseSign1Builder::new().payload(vec![]).build(), concat!( @@ -843,7 +843,7 @@ fn test_cose_sign1_encode() { #[test] fn test_cose_sign1_decode_fail() { - let tests = vec![ + let tests = [ ( concat!( "a2", // 2-map @@ -936,7 +936,7 @@ fn test_cose_sign1_decode_fail() { #[test] fn test_cose_sign1_decode_noncanonical() { - let tests = vec![( + let tests = [( CoseSign1Builder::new() .protected( HeaderBuilder::new() @@ -978,7 +978,7 @@ fn test_cose_sign1_decode_noncanonical() { #[test] fn test_cose_sign1_tagged_decode_fail() { - let tests = vec![ + let tests = [ ( concat!( "d2", // tag(18) @@ -1060,7 +1060,7 @@ fn test_cose_sign1_tagged_decode_fail() { #[test] fn test_rfc8152_cose_sign1_decode() { // COSE_Sign1 structures from RFC 8152 section C.2. - let tests = vec![ + let tests = [ ( CoseSign1Builder::new() .protected(HeaderBuilder::new().algorithm(iana::Algorithm::ES256).build()) From 94f6c1b4b7ae16424211a5c3a99cb05c47cb8a8d Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Tue, 4 Nov 2025 15:47:32 +0000 Subject: [PATCH 2/3] iana: add COSE algorithms from RFC 9864 --- src/iana/mod.rs | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/src/iana/mod.rs b/src/iana/mod.rs index fbe41cf..d2ada91 100644 --- a/src/iana/mod.rs +++ b/src/iana/mod.rs @@ -230,22 +230,30 @@ iana_registry! { /// IANA-registered COSE algorithms. /// /// From IANA registry - /// as of 2025-09-13. + /// as of 2025-11-06. Algorithm { - /// RSASSA-PKCS1-v1_5 using SHA-1 + /// RSASSA-PKCS1-v1_5 using SHA-1 (deprecated) RS1: -65535, - /// AES-CTR with 128-bit key + /// AES-CTR with 128-bit key (deprecated) AesCtr128: -65534, - /// AES-CTR with 192-bit key + /// AES-CTR with 192-bit key (deprecated) AesCtr192: -65533, - /// AES-CTR with 256-bit key + /// AES-CTR with 256-bit key (deprecated) AesCtr256: -65532, - /// AES-CBC with 128-bit key + /// AES-CBC with 128-bit key (deprecated) AesCbc128: -65531, - /// AES-CBC with 192-bit key + /// AES-CBC with 192-bit key (deprecated) AesCbc192: -65530, - /// AES-CBC with 256-bit key + /// AES-CBC with 256-bit key (deprecated) AesCbc256: -65529, + /// ECDSA using BrainpoolP512r1 curve and SHA-512 + ESB512: -268, + /// ECDSA using BrainpoolP384r1 curve and SHA-384 + ESB384: -267, + /// ECDSA using BrainpoolP320r1 curve and SHA-384 + ESB320: -266, + /// ECDSA using BrainpoolP256r1 curve and SHA-256 + ESB256: -265, /// WalnutDSA signature WalnutDSA: -260, /// RSASSA-PKCS1-v1_5 using SHA-512 @@ -254,6 +262,12 @@ iana_registry! { RS384: -258, /// RSASSA-PKCS1-v1_5 using SHA-256 RS256: -257, + /// EdDSA using the Ed448 parameter set in Section 5.2 of RFC8032 + Ed448: -53, + /// ECDSA using P-521 curve and SHA-512 + ESP512: -52, + /// ECDSA using P-384 curve and SHA-384 + ESP384: -51, /// ML-DSA-87 ML_DSA_87: -50, /// ML-DSA-65 @@ -282,9 +296,9 @@ iana_registry! { PS384: -38, /// RSASSA-PSS w/ SHA-256 PS256: -37, - /// ECDSA w/ SHA-512 + /// ECDSA w/ SHA-512 (deprecated) ES512: -36, - /// ECDSA w/ SHA-384 + /// ECDSA w/ SHA-384 (deprecated) ES384: -35, /// ECDH SS w/ Concat KDF and AES Key Wrap w/ 256-bit key ECDH_SS_A256KW: -34, @@ -306,6 +320,8 @@ iana_registry! { ECDH_ES_HKDF_512: -26, /// ECDH ES w/ HKDF - generate key directly ECDH_ES_HKDF_256: -25, + /// EdDSA using the Ed25519 parameter set in Section 5.1 of RFC8032 + Ed25519: -19, /// SHAKE-128 256-bit Hash Value SHAKE128: -18, /// SHA-2 512-bit Hash truncated to 256-bits @@ -324,9 +340,11 @@ iana_registry! { Direct_HKDF_SHA_512: -11, /// Shared secret w/ HKDF and SHA-256 Direct_HKDF_SHA_256: -10, - /// EdDSA + /// ECDSA using P-256 curve and SHA-256 + ESP256: -9, + /// EdDSA (deprecated) EdDSA: -8, - /// ECDSA w/ SHA-256 + /// ECDSA w/ SHA-256 (deprecated) ES256: -7, /// Direct use of CEK Direct: -6, From 246d731010601b243a3c8704a1d42960c01c93d3 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Mon, 10 Nov 2025 07:05:28 +0000 Subject: [PATCH 3/3] ci: use more recent nightly Also updae cargo-deny cargo-udeps versions --- .github/workflows/ci.yml | 22 +++++++++++----------- deny.toml | 6 ++---- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e898190..cb10811 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,7 +18,7 @@ jobs: rust: - stable - beta - - nightly-2023-04-01 + - nightly-2025-04-01 steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: dtolnay/rust-toolchain@a3ac054b2e7d62f514aa1bd57e3508c522fe772d # 1.68.2 @@ -35,7 +35,7 @@ jobs: rust: - stable - beta - - nightly-2023-04-01 + - nightly-2025-04-01 steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: @@ -54,7 +54,7 @@ jobs: rust: - stable - beta - - nightly-2023-04-01 + - nightly-2025-04-01 steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: @@ -77,7 +77,7 @@ jobs: rust: - stable - beta - - nightly-2023-04-01 + - nightly-2025-04-01 steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: dtolnay/rust-toolchain@a3ac054b2e7d62f514aa1bd57e3508c522fe772d # 1.68.2 @@ -120,9 +120,9 @@ jobs: - run: gem install mdl - uses: dtolnay/rust-toolchain@a3ac054b2e7d62f514aa1bd57e3508c522fe772d # 1.68.2 with: - toolchain: nightly-2023-04-01 + toolchain: nightly-2025-04-01 components: rustfmt - - run: cargo +nightly-2023-04-01 fmt --all -- --check + - run: cargo +nightly-2025-04-01 fmt --all -- --check - run: scripts/check-format.sh clippy: @@ -151,10 +151,10 @@ jobs: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: dtolnay/rust-toolchain@a3ac054b2e7d62f514aa1bd57e3508c522fe772d # 1.68.2 with: - toolchain: nightly-2023-04-01 + toolchain: nightly-2025-04-01 components: rustfmt - - run: cargo +nightly-2023-04-01 install --locked --version 0.1.39 cargo-udeps - - run: cargo +nightly-2023-04-01 udeps + - run: cargo +nightly-2025-04-01 install --locked --version 0.1.59 cargo-udeps + - run: cargo +nightly-2025-04-01 udeps deny: runs-on: ubuntu-latest @@ -162,9 +162,9 @@ jobs: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: dtolnay/rust-toolchain@a3ac054b2e7d62f514aa1bd57e3508c522fe772d # 1.68.2 with: - toolchain: nightly-2023-04-01 + toolchain: stable components: rustfmt - - run: cargo +nightly-2023-04-01 install --locked --version 0.13.9 cargo-deny + - run: cargo install --locked --version 0.18.5 cargo-deny - run: cargo deny check coverage: diff --git a/deny.toml b/deny.toml index 849416c..785ed07 100644 --- a/deny.toml +++ b/deny.toml @@ -2,6 +2,7 @@ # # For further details on all configuration options see: # https://embarkstudios.github.io/cargo-deny/checks/cfg.html +[graph] targets = [ { triple = "x86_64-unknown-linux-gnu" }, { triple = "x86_64-apple-darwin" }, @@ -10,10 +11,8 @@ targets = [ # Deny all advisories unless explicitly ignored. [advisories] -vulnerability = "deny" -unmaintained = "deny" +unmaintained = "all" yanked = "deny" -notice = "deny" ignore = [] # Deny multiple versions unless explicitly skipped. @@ -29,4 +28,3 @@ allow = [ "Apache-2.0", "MIT", ] -copyleft = "deny"