Raise MSRV to 1.63.0 (#9043)

.github/workflows/ci.yml

@@ -49,11 +49,10 @@ jobs:
           - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a1c87f64dd6d6b0f1c8b276dc415f69e1102f930"}}
           # Builds with various Rust versions. Includes MSRV and next
           # potential future MSRV:
-          # 1.60 - pem 2.0.1, once_cell 1.18.0
           # 1.64 - maturin
           # 1.65 - Generic associated types (GATs)
-          - {VERSION: "3.11", NOXSESSION: "tests-nocoverage", RUST: "1.56.0"}
-          - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.60.0"}
+          - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.63.0"}
+          - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.64.0"}
           - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "beta"}
           - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "nightly"}
     timeout-minutes: 15

CHANGELOG.rst

@@ -10,6 +10,7 @@ Changelog
 
 * Parsing SSH certificates no longer permits malformed critical options with
   values, as documented in the 41.0.2 release notes.
+* Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0.
 
 .. _v41-0-3:
 

docs/installation.rst

@@ -105,7 +105,7 @@ Alpine
 
 .. warning::
 
-    The Rust available by default in Alpine < 3.15 is older than the minimum
+    The Rust available by default in Alpine < 3.17 is older than the minimum
     supported version. See the :ref:`Rust installation instructions
     <installation:Rust>` for information about installing a newer Rust.
 
@@ -134,8 +134,8 @@ Fedora/RHEL/CentOS
 
 .. warning::
 
-    For RHEL and CentOS you must be on version 8.6 or newer for the command
-    below to install a sufficiently new Rust. If your Rust is less than 1.56.0
+    For RHEL and CentOS you must be on version 8.8 or newer for the command
+    below to install a sufficiently new Rust. If your Rust is less than 1.63.0
     please see the :ref:`Rust installation instructions <installation:Rust>`
     for information about installing a newer Rust.
 
@@ -313,7 +313,7 @@ Rust
     a Rust toolchain.
 
 Building ``cryptography`` requires having a working Rust toolchain. The current
-minimum supported Rust version is 1.56.0. **This is newer than the Rust some
+minimum supported Rust version is 1.63.0. **This is newer than the Rust some
 package managers ship**, so users may need to install with the
 instructions below.
 

setup.py

@@ -54,7 +54,7 @@
                 "cryptography.hazmat.bindings._rust",
                 "src/rust/Cargo.toml",
                 py_limited_api=True,
-                rust_version=">=1.56.0",
+                rust_version=">=1.63.0",
             )
         ],
     )

src/rust/Cargo.toml

@@ -5,7 +5,7 @@ authors = ["The cryptography developers <[email protected]>"]
 edition = "2021"
 publish = false
 # This specifies the MSRV
-rust-version = "1.56.0"
+rust-version = "1.63.0"
 
 [dependencies]
 once_cell = "1"
@@ -14,7 +14,7 @@ asn1 = { version = "0.15.4", default-features = false }
 cryptography-cffi = { path = "cryptography-cffi" }
 cryptography-x509 = { path = "cryptography-x509" }
 cryptography-openssl = { path = "cryptography-openssl" }
-pem = "1.1"
+pem = { version = "3", default-features = false }
 openssl = "0.10.55"
 openssl-sys = "0.9.90"
 foreign-types-shared = "0.1"

src/rust/cryptography-cffi/Cargo.toml

@@ -5,7 +5,7 @@ authors = ["The cryptography developers <[email protected]>"]
 edition = "2021"
 publish = false
 # This specifies the MSRV
-rust-version = "1.56.0"
+rust-version = "1.63.0"
 
 [dependencies]
 pyo3 = { version = "0.19", features = ["abi3-py37"] }

src/rust/cryptography-openssl/Cargo.toml

@@ -5,7 +5,7 @@ authors = ["The cryptography developers <[email protected]>"]
 edition = "2021"
 publish = false
 # This specifies the MSRV
-rust-version = "1.56.0"
+rust-version = "1.63.0"
 
 [dependencies]
 openssl = "0.10.55"

src/rust/cryptography-x509-validation/Cargo.toml

@@ -5,7 +5,7 @@ authors = ["The cryptography developers <[email protected]>"]
 edition = "2021"
 publish = false
 # This specifies the MSRV
-rust-version = "1.56.0"
+rust-version = "1.63.0"
 
 [dependencies]
 asn1 = { version = "0.15.0", default-features = false }

src/rust/cryptography-x509/Cargo.toml

@@ -5,7 +5,7 @@ authors = ["The cryptography developers <[email protected]>"]
 edition = "2021"
 publish = false
 # This specifies the MSRV
-rust-version = "1.56.0"
+rust-version = "1.63.0"
 
 [dependencies]
 asn1 = { version = "0.15.4", default-features = false }

src/rust/cryptography-x509/src/crl.rs

@@ -11,7 +11,7 @@ use crate::{
 pub type ReasonFlags<'a> =
     Option<common::Asn1ReadableOrWritable<'a, asn1::BitString<'a>, asn1::OwnedBitString>>;
 
-#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash)]
+#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash)]
 pub struct CertificateRevocationList<'a> {
     pub tbs_cert_list: TBSCertList<'a>,
     pub signature_algorithm: common::AlgorithmIdentifier<'a>,
@@ -26,7 +26,7 @@ pub type RevokedCertificates<'a> = Option<
     >,
 >;
 
-#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash)]
+#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash)]
 pub struct TBSCertList<'a> {
     pub version: Option<u8>,
     pub signature: common::AlgorithmIdentifier<'a>,
@@ -38,7 +38,7 @@ pub struct TBSCertList<'a> {
     pub raw_crl_extensions: Option<extensions::RawExtensions<'a>>,
 }
 
-#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash, Clone)]
+#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone)]
 pub struct RevokedCertificate<'a> {
     pub user_certificate: asn1::BigUint<'a>,
     pub revocation_date: common::Time,

src/rust/cryptography-x509/src/lib.rs

@@ -3,8 +3,6 @@
 // for complete details.
 
 #![forbid(unsafe_code)]
-// These can be removed once our MSRV is >1.60
-#![allow(renamed_and_removed_lints, clippy::eval_order_dependence)]
 
 pub mod certificate;
 pub mod common;

src/rust/cryptography-x509/src/name.rs

@@ -43,7 +43,7 @@ impl<'a> asn1::SimpleAsn1Writable for UnvalidatedIA5String<'a> {
     }
 }
 
-#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash)]
+#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash)]
 pub struct OtherName<'a> {
     pub type_id: asn1::ObjectIdentifier,
     #[explicit(0, required)]

src/rust/src/asn1.rs

@@ -104,13 +104,8 @@ pub(crate) fn encode_der_data<'p>(
         Ok(pyo3::types::PyBytes::new(
             py,
             &pem::encode_config(
-                &pem::Pem {
-                    tag: pem_tag,
-                    contents: data,
-                },
-                pem::EncodeConfig {
-                    line_ending: pem::LineEnding::LF,
-                },
+                &pem::Pem::new(pem_tag, data),
+                pem::EncodeConfig::new().set_line_ending(pem::LineEnding::LF),
             )
             .into_bytes(),
         ))

src/rust/src/backend/dh.rs

@@ -83,11 +83,11 @@ fn from_der_parameters(data: &[u8]) -> CryptographyResult<DHParameters> {
 fn from_pem_parameters(data: &[u8]) -> CryptographyResult<DHParameters> {
     let parsed = x509::find_in_pem(
         data,
-        |p| p.tag == "DH PARAMETERS" || p.tag == "X9.42 DH PARAMETERS",
+        |p| p.tag() == "DH PARAMETERS" || p.tag() == "X9.42 DH PARAMETERS",
         "Valid PEM but no BEGIN DH PARAMETERS/END DH PARAMETERS delimiters. Are you sure this is a DH parameters?",
     )?;
 
-    from_der_parameters(&parsed.contents)
+    from_der_parameters(parsed.contents())
 }
 
 fn dh_parameters_from_numbers(

src/rust/src/x509/certificate.rs

@@ -334,12 +334,12 @@ fn load_pem_x509_certificate(py: pyo3::Python<'_>, data: &[u8]) -> CryptographyR
     // https://github.com/openssl/openssl/blob/5e2d22d53ed322a7124e26a4fbd116a8210eb77a/include/openssl/pem.h#L32-L33
     let parsed = x509::find_in_pem(
         data,
-        |p| p.tag == "CERTIFICATE" || p.tag == "X509 CERTIFICATE",
+        |p| p.tag() == "CERTIFICATE" || p.tag() == "X509 CERTIFICATE",
         "Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate?",
     )?;
     load_der_x509_certificate(
         py,
-        pyo3::types::PyBytes::new(py, &parsed.contents).into_py(py),
+        pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py),
     )
 }
 
@@ -350,9 +350,9 @@ fn load_pem_x509_certificates(
 ) -> CryptographyResult<Vec<Certificate>> {
     let certs = pem::parse_many(data)?
         .iter()
-        .filter(|p| p.tag == "CERTIFICATE" || p.tag == "X509 CERTIFICATE")
+        .filter(|p| p.tag() == "CERTIFICATE" || p.tag() == "X509 CERTIFICATE")
         .map(|p| {
-            load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, &p.contents).into_py(py))
+            load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, p.contents()).into_py(py))
         })
         .collect::<Result<Vec<_>, _>>()?;
 

src/rust/src/x509/crl.rs

@@ -54,12 +54,12 @@ fn load_pem_x509_crl(
 ) -> Result<CertificateRevocationList, CryptographyError> {
     let block = x509::find_in_pem(
         data,
-        |p| p.tag == "X509 CRL",
+        |p| p.tag() == "X509 CRL",
         "Valid PEM but no BEGIN X509 CRL/END X509 delimiters. Are you sure this is a CRL?",
     )?;
     load_der_x509_crl(
         py,
-        pyo3::types::PyBytes::new(py, &block.contents).into_py(py),
+        pyo3::types::PyBytes::new(py, block.contents()).into_py(py),
     )
 }
 

src/rust/src/x509/csr.rs

@@ -254,12 +254,12 @@ fn load_pem_x509_csr(
     // https://github.com/openssl/openssl/blob/5e2d22d53ed322a7124e26a4fbd116a8210eb77a/include/openssl/pem.h#L35-L36
     let parsed = x509::find_in_pem(
         data,
-        |p| p.tag == "CERTIFICATE REQUEST" || p.tag == "NEW CERTIFICATE REQUEST",
+        |p| p.tag() == "CERTIFICATE REQUEST" || p.tag() == "NEW CERTIFICATE REQUEST",
         "Valid PEM but no BEGIN CERTIFICATE REQUEST/END CERTIFICATE REQUEST delimiters. Are you sure this is a CSR?",
     )?;
     load_der_x509_csr(
         py,
-        pyo3::types::PyBytes::new(py, &parsed.contents).into_py(py),
+        pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py),
     )
 }