Skip to content

bump rcgen to 0.14.2 #3733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 16, 2025
Merged

bump rcgen to 0.14.2 #3733

merged 1 commit into from
Jul 16, 2025

Conversation

Bravo555
Copy link
Contributor

Proposed changes

Recent versions of rcgen contain nice features, so I decided to bump the crate and fix all breaking changes first before our usage of it is expanded by the pkcs11 create key PR.

Relevant features:

  • 0.13.0
    • P521 support
    • The API used to create/issue key pairs, certificates, certificate signing requests (CSRs), and certificate revocation lists (CRLs) has been restructured to emphasize consistency and avoid common errors with serialization. (better to fix breaking changes ASAP)
    • Support for using aws-lc-rs in fips mode
  • 0.13.1
    • Several improvements to the capabilities available when working with certificate signing requests
      • Enable signing without private key
  • 0.14.0
    • better remote signing API (RemoteKeyPair changed to SigningKey)

Also we'd like to move from RSA PKCS#1 v1.5, which is vulnerable to Marvin Attack to RSA PSS signatures for signing the CSRs, which new versions of rcgen may add in the future.

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
  • Documentation Update (if none of the other choices apply)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue


Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
  • I ran just format as mentioned in CODING_GUIDELINES
  • I used just check as mentioned in CODING_GUIDELINES
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

@Bravo555
bump rcgen to 0.14.2
4cc7cad 
Recent versions of rcgen contain nice features, so I decided to bump the
crate and fix all breaking changes first before our usage of it is
expanded by the pkcs11 create key PR.

Relevant features:
- `0.13.0`
	- P521 support
	- only supports RSA PKCS#1 v1.5, which is vulnerable to [Marvin
	Attack](https://people.redhat.com/~hkario/marvin/), new versions of
	`rcgen` might have RSA PSS signatures added in the future
	- The API used to create/issue key pairs, certificates, certificate
	signing requests (CSRs), and certificate revocation lists (CRLs) has
	been restructured to emphasize consistency and avoid common errors
	with serialization. (better to fix breaking changes ASAP)
	- Support for using `aws-lc-rs` in `fips` mode
- `0.13.1`
	- Several improvements to the capabilities available when working
	with certificate signing requests
		- Enable signing without private key
- `0.14.0`
	- better remote signing API (`RemoteKeyPair` changed to
	`SigningKey`)

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 15, 2025 16:39 — with GitHub Actions Inactive
@Bravo555 Bravo555 added the dependencies Pull requests that update a dependency file label Jul 15, 2025
@codecov Codecov
Copy link

codecov bot commented Jul 15, 2025

Codecov Report

Attention: Patch coverage is 80.19802% with 20 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
crates/common/certificate/src/lib.rs 74.60% 10 Missing and 6 partials ⚠️
crates/core/tedge_agent/src/http_server/actor.rs 73.33% 0 Missing and 4 partials ⚠️

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions GitHub Actions
Copy link
Contributor

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
666 0 3 666 100 1h50m19.304957999s

didier-wenzek
didier-wenzek reviewed Jul 16, 2025
View reviewed changes
crates/common/certificate/src/lib.rs
Comment on lines +249 to +254
pub struct KeyCertPair {
certificate: rcgen::Certificate,
// in rcgen 0.14 params are necessary to generate the CSR
params: rcgen::CertificateParams,
signing_key: SigningKeyWrapper,
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to confirm.

Previously, the certificate was protected under Zeroizing. Now this protection has been narrowed under the signing_key in the case there is actually a private key in memory. This makes sense. However, can you confirm that, with version 0.14, rcgen::Certificate no more contains data to zeroize on drop?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, wrapping rcgen::Certificate with Zeroizing<> generates the following error:

error[E0277]: the trait bound `rcgen::Certificate: zeroize::DefaultIsZeroes` is not satisfied
   --> crates/common/certificate/src/lib.rs:250:18
    |
250 |     certificate: Zeroizing<rcgen::Certificate>,
    |                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the trait `zeroize::DefaultIsZeroes` is not implemented for `rcgen::Certificate`
    |

And in 0.14 only rcgen::KeyPair implements Zeroize, which makes sense because it's the only thing holding sensitive data.

didier-wenzek
didier-wenzek approved these changes Jul 16, 2025
View reviewed changes
Copy link
Contributor

@didier-wenzek didier-wenzek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Bravo555 Bravo555 added this pull request to the merge queue Jul 16, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 16, 2025
@Bravo555 Bravo555 added this pull request to the merge queue Jul 16, 2025
Merged via the queue into thin-edge:main with commit 9bd2b37 Jul 16, 2025
34 checks passed
@Bravo555 Bravo555 deleted the improve/rcgen-bump branch July 16, 2025 10:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@didier-wenzek didier-wenzek didier-wenzek approved these changes

@albinsuresh albinsuresh Awaiting requested review from albinsuresh albinsuresh is a code owner

@jarhodes314 jarhodes314 Awaiting requested review from jarhodes314 jarhodes314 is a code owner

@rina23q rina23q Awaiting requested review from rina23q rina23q is a code owner

@reubenmiller reubenmiller Awaiting requested review from reubenmiller reubenmiller is a code owner

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Bravo555 @didier-wenzek