Problem
cargo deny / cargo audit flag RUSTSEC-2023-0071 ("Marvin Attack", timing sidechannel in rsa, potential private-key recovery). Dependency chain:
rsa 0.9.10 -> jsonwebtoken (feature `rust_crypto`) -> structured-proxy
We deliberately ignore this advisory in deny.toml / .cargo/audit.toml rather than change the crypto backend.
Why ignored (current justification)
- No fix exists. Latest
rsa on crates.io is 0.10.0-rc (release candidate). In the RustSec DB the advisory has patched: [] and unaffected: [] — there is nothing to upgrade to. The constant-time rewrite in RustCrypto has not shipped stable.
- Backend stays
rust_crypto (pure Rust). jsonwebtoken's alternative aws_lc_rs is constant-time and advisory-free, but pulls in aws-lc (C / assembly) = FFI. Pure-Rust consumers (e.g. CoordiNode, ADR-013 "no FFI anywhere") cannot accept that. We keep rust_crypto on purpose.
- Not exploitable on the verify path. structured-proxy only verifies incoming JWTs with a public key (
DecodingKey + decode() in src/auth/mod.rs). The Marvin Attack leaks the private key via timing of private-key operations (decrypt/sign). There is no RSA private key on the verify path, so the attack is not reachable. (The only EncodingKey/encode usage is inside #[cfg(test)] and uses Ed25519, not RSA.)
Exit criteria
Remove the ignore when any of these holds:
- RustCrypto ships a constant-time
rsa stable release that addresses RUSTSEC-2023-0071, and the advisory gets a non-empty patched. Then bump rsa (transitively via jsonwebtoken) and drop the ignore.
- We adopt the
aws_lc_rs backend by default (only if the no-FFI constraint is lifted).
Related
Problem
cargo deny/cargo auditflag RUSTSEC-2023-0071 ("Marvin Attack", timing sidechannel inrsa, potential private-key recovery). Dependency chain:We deliberately ignore this advisory in
deny.toml/.cargo/audit.tomlrather than change the crypto backend.Why ignored (current justification)
rsaon crates.io is0.10.0-rc(release candidate). In the RustSec DB the advisory haspatched: []andunaffected: []— there is nothing to upgrade to. The constant-time rewrite in RustCrypto has not shipped stable.rust_crypto(pure Rust). jsonwebtoken's alternativeaws_lc_rsis constant-time and advisory-free, but pulls inaws-lc(C / assembly) = FFI. Pure-Rust consumers (e.g. CoordiNode, ADR-013 "no FFI anywhere") cannot accept that. We keeprust_cryptoon purpose.DecodingKey+decode()insrc/auth/mod.rs). The Marvin Attack leaks the private key via timing of private-key operations (decrypt/sign). There is no RSA private key on the verify path, so the attack is not reachable. (The onlyEncodingKey/encodeusage is inside#[cfg(test)]and uses Ed25519, not RSA.)Exit criteria
Remove the ignore when any of these holds:
rsastable release that addresses RUSTSEC-2023-0071, and the advisory gets a non-emptypatched. Then bumprsa(transitively viajsonwebtoken) and drop the ignore.aws_lc_rsbackend by default (only if the no-FFI constraint is lifted).Related
rust_cryptodefault /aws_lc_rsopt-in) so consumers with different requirements can switch without forking.