Merge pull request #1421 from zcash/dep-bip32

Migrate from `hdwallet` to `bip32`

Cargo.toml

@@ -62,9 +62,9 @@ orchard = { version = "0.8.0", default-features = false }
 pasta_curves = "0.5"
 
 # - Transparent
-hdwallet = "0.4"
+bip32 = { version = "0.5", default-features = false, features = ["secp256k1-ffi"] }
 ripemd = "0.1"
-secp256k1 = "0.26"
+secp256k1 = "0.27"
 
 # CSPRNG
 rand = "0.8"

supply-chain/audits.toml

@@ -22,6 +22,15 @@ who = "Daira-Emma Hopwood <daira@jacaranda.org>"
 criteria = "safe-to-deploy"
 delta = "1.2.0 -> 1.3.0"
 
+[[audits.bip32]]
+who = "Jack Grigg <jack@electriccoin.co>"
+criteria = "safe-to-deploy"
+version = "0.5.1"
+notes = """
+- Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`.
+- Crate has no powerful imports. Only filesystem acces is via `include_str!`, and is safe.
+"""
+
 [[audits.bytemuck]]
 who = "Daira-Emma Hopwood <daira@jacaranda.org>"
 criteria = "safe-to-run"
@@ -249,6 +258,11 @@ who = "Daira-Emma Hopwood <daira@jacaranda.org>"
 criteria = "safe-to-run"
 delta = "1.0.17 -> 1.0.18"
 
+[[audits.secp256k1]]
+who = "Jack Grigg <jack@electriccoin.co>"
+criteria = ["safe-to-deploy", "crypto-reviewed"]
+delta = "0.26.0 -> 0.27.0"
+
 [[audits.serde]]
 who = "Daira-Emma Hopwood <daira@jacaranda.org>"
 criteria = "safe-to-deploy"

supply-chain/config.toml

@@ -308,10 +308,6 @@ criteria = "safe-to-deploy"
 version = "0.8.4"
 criteria = "safe-to-deploy"
 
-[[exemptions.hdwallet]]
-version = "0.4.1"
-criteria = "safe-to-deploy"
-
 [[exemptions.hermit-abi]]
 version = "0.3.3"
 criteria = "safe-to-deploy"
@@ -358,7 +354,7 @@ criteria = "safe-to-deploy"
 
 [[exemptions.js-sys]]
 version = "0.3.65"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.jubjub]]
 version = "0.10.0"
@@ -552,10 +548,6 @@ criteria = "safe-to-deploy"
 version = "0.8.37"
 criteria = "safe-to-run"
 
-[[exemptions.ring]]
-version = "0.16.20"
-criteria = "safe-to-deploy"
-
 [[exemptions.ring]]
 version = "0.17.8"
 criteria = "safe-to-deploy"
@@ -742,35 +734,31 @@ criteria = "safe-to-deploy"
 
 [[exemptions.wasm-bindgen]]
 version = "0.2.92"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.wasm-bindgen-backend]]
 version = "0.2.88"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.wasm-bindgen-macro]]
 version = "0.2.88"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.web-sys]]
 version = "0.3.65"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.which]]
 version = "4.4.2"
 criteria = "safe-to-deploy"
 
-[[exemptions.winapi]]
-version = "0.3.9"
-criteria = "safe-to-deploy"
-
 [[exemptions.winapi-i686-pc-windows-gnu]]
 version = "0.4.0"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.winapi-x86_64-pc-windows-gnu]]
 version = "0.4.0"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.wyz]]
 version = "0.5.1"

supply-chain/imports.lock

@@ -1127,6 +1127,17 @@ criteria = "safe-to-deploy"
 version = "0.9.4"
 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
 
+[[audits.google.audits.winapi]]
+who = "danakj@chromium.org"
+criteria = "safe-to-run"
+version = "0.3.9"
+notes = """
+Reviewed in https://crrev.com/c/5171063
+
+Previously reviewed during security review and the audit is grandparented in.
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
 [[audits.google.audits.winapi-util]]
 who = "danakj@chromium.org"
 criteria = "safe-to-run"
@@ -1198,6 +1209,11 @@ who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
 delta = "0.2.14 -> 0.2.15"
 
+[[audits.isrg.audits.hmac]]
+who = "David Cook <dcook@divviup.org>"
+criteria = "safe-to-deploy"
+version = "0.12.1"
+
 [[audits.isrg.audits.num-bigint]]
 who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
@@ -1298,11 +1314,6 @@ who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
 delta = "0.5.0 -> 0.5.1"
 
-[[audits.isrg.audits.untrusted]]
-who = "David Cook <dcook@divviup.org>"
-criteria = "safe-to-deploy"
-version = "0.7.1"
-
 [[audits.isrg.audits.wasm-bindgen-shared]]
 who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"

zcash_client_backend/Cargo.toml

@@ -58,7 +58,7 @@ bech32.workspace = true
 bs58.workspace = true
 
 # - Errors
-hdwallet = { workspace = true, optional = true }
+bip32 = { workspace = true, optional = true }
 
 # - Logging and metrics
 memuse.workspace = true
@@ -133,7 +133,7 @@ lightwalletd-tonic-transport = ["lightwalletd-tonic", "tonic?/transport"]
 
 ## Enables receiving transparent funds and shielding them.
 transparent-inputs = [
-    "dep:hdwallet",
+    "dep:bip32",
     "zcash_keys/transparent-inputs",
     "zcash_primitives/transparent-inputs",
 ]

zcash_client_sqlite/CHANGELOG.md

@@ -8,6 +8,9 @@ and this library adheres to Rust's notion of
 ## [Unreleased]
 ### Changed
 - MSRV is now 1.70.0.
+- `zcash_client_sqlite::error::SqliteClientError` has changed variants:
+  - Removed `HdwalletError`.
+  - Added `TransparentDerivation`.
 
 ## [0.10.3] - 2024-04-08