search

1Password / passkey-rs

A framework for defining Webauthn Authenticators that support passkeys
Apache License 2.0
116 stars 17 forks source link

Update P256 Version #3

Closed RobbieMcKinstry closed 9 months ago

RobbieMcKinstry commented 12 months ago

I'm creating this issue to suggest updating the version of the p256 crate used by this repository.

The latest version is of p256 is v0.13.2. This repository uses p256 = "^0.10". This particular version is troublesome because of its transitive dependence on signature = ">=1.3.1, <1.5". The 1.5 release of signature introduced a backward-incompatible change, which is why downstream crates have specified a version range capped out at <1.5.

Cargo's dependency resolution algorithm allows multiple major versions of the same crate. Unfortunately, since signature 1.6 introduced a breaking change without bumping the major version number, projects must decide whether to select signature < 1.6 or signature >= 1.6. All dependencies, transitive or direct, must agree on which version range to use for signature. There can be no mix-and-match

From my anecdotal investigation, other crates in the ecosystem have resolved this issue by bumping to >= signature 1.5. For example, ecdsa-core, p256@0.11, and k256.

Steps to Reproduce

To reproduce this issue, we create a new project with passkey and one common cryptographic dependency, and attempt to add them to the same Rust workspace.

  1. cargo new passkey-reproduction && cd passkey-reproduction
  2. cargo add passkey ecdsa@0.14
     Created binary (application) `passkey-reproduction` package
    Updating crates.io index
      Adding passkey v0.1.0 to dependencies.
      Adding ecdsa v0.14 to dependencies.
             Features as of v0.14.4:
             + digest
             - alloc
             - arithmetic
             - der
             - dev
             - hazmat
             - pem
             - pkcs8
             - rfc6979
             - serde
             - serdect
             - sign
             - std
             - verify
    Updating crates.io index
error: failed to select a version for `signature`.
    ... required by package `ecdsa v0.14.4`
    ... which satisfies dependency `ecdsa = "^0.14"` of package `passkey-reproduction v0.1.0 (/Users/robbiemckinstry/workspace/passkey-reproduction)`
versions that meet the requirements `>=1.5, <1.7` are: 1.6.4, 1.6.3, 1.6.2, 1.5.0

all possible versions conflict with previously selected packages.

  previously selected package `signature v1.3.1`
    ... which satisfies dependency `signature = ">=1.3.1, <1.5"` of package `ecdsa v0.13.3`
    ... which satisfies dependency `ecdsa-core = "^0.13"` of package `p256 v0.10.0`
    ... which satisfies dependency `p256 = "^0.10"` of package `passkey-authenticator v0.1.0`
    ... which satisfies dependency `passkey-authenticator = "^0.1.0"` of package `passkey v0.1.0`
    ... which satisfies dependency `passkey = "^0.1.0"` of package `passkey-reproduction v0.1.0 (/Users/robbiemckinstry/workspace/passkey-reproduction)`

failed to select a version for `signature` which could resolve this conflict

I've found a workaround specific to ecdsa, which is to expand the version constraint from ecdsa@0.14 to ecdsa@>=0.14, which installs 0.16.8, but this doesn't work for other ecosystem crates which have opted to use new versions of signature e.g. ethers, k256

Contributions

✨ Please let me know if you're willing to accept a pull request for this issue. ❤️

Progdrasil commented 12 months ago

Hi @RobbieMcKinstry , thanks for flagging this. We are already aware of this issue, because we are affected by it internally as well. Due to some dependency upgrades not interacting very well, we have been working on a way to be able to update these transitive dependencies. It's been a slow process but we should be in a state where we can upgrade it soon.

We would gladly merge any PRs as soon as we're able to accept the changes internally.

RobbieMcKinstry commented 12 months ago

Hi Progdrasil. Thank you for your quick reply! I'm happy to hear this is already on your roadmap! 🚀

I'm working up a PR to bump the version of p256 to v0.13. I've resolved the breaking changes introduced by the migration, and the test suite is green. I have to double-check that this change is sufficient to resolve the issue, and then I'll submit.

I understand if you're not able to merge until you've resolved this issue internally. If that means my PR has to sit for some time, no big deal. Thank you for your time and attention.

(As an aside: I love your product! I've been using 1Password for years now and I've always been very satisfied. ❤️)