From d966d9fc80ab51d48ccd61a85615d3e55dea7a42 Mon Sep 17 00:00:00 2001
From: Martyn <martyn@datasync.dev>
Date: Sat, 6 Apr 2024 12:25:32 +0100
Subject: [PATCH 1/3] Extends JWK implementation to include optional fields

---
 elliptic-curve/Cargo.toml |   5 +-
 elliptic-curve/src/jwk.rs | 436 ++++++++++++++++++--------------------
 2 files changed, 209 insertions(+), 232 deletions(-)

diff --git a/elliptic-curve/Cargo.toml b/elliptic-curve/Cargo.toml
index 388c12a1..e6349f5d 100644
--- a/elliptic-curve/Cargo.toml
+++ b/elliptic-curve/Cargo.toml
@@ -33,13 +33,14 @@ hex-literal = { version = "0.4", optional = true }
 pem-rfc7468 = { version = "=1.0.0-pre.0", optional = true, features = ["alloc"] }
 pkcs8 = { version = "=0.11.0-pre.0", optional = true, default-features = false }
 sec1 = { version = "=0.8.0-pre.1", optional = true, features = ["subtle", "zeroize"] }
-serdect = { version = "=0.3.0-pre.0", optional = true, default-features = false, features = ["alloc"] }
+#serdect = { version = "=0.3.0-pre.0", optional = true, default-features = false, features = ["alloc"] }
+serdect = { git="https://github.com/rustcrypto/formats.git", optional = true, default-features = false, features = ["alloc", "derive"] }
 serde_json = { version = "1.0.114", optional = true, default-features = false, features = ["alloc"] }
+sha2 = "=0.11.0-pre.3"
 tap = { version = "1.0.1", optional = true, default-features = false } # hack for minimal-versions support for `bits`
 
 [dev-dependencies]
 hex-literal = "0.4"
-sha2 = "=0.11.0-pre.3"
 sha3 = "=0.11.0-pre.3"
 
 [features]
diff --git a/elliptic-curve/src/jwk.rs b/elliptic-curve/src/jwk.rs
index 6e59d9fa..247e83b0 100644
--- a/elliptic-curve/src/jwk.rs
+++ b/elliptic-curve/src/jwk.rs
@@ -16,10 +16,10 @@ use alloc::{
 use base64ct::{Base64UrlUnpadded as Base64Url, Encoding};
 use core::{
     fmt::{self, Debug},
-    marker::PhantomData,
     str::{self, FromStr},
 };
-use serdect::serde::{de, ser, Deserialize, Serialize};
+use serdect::serde::{de, Deserialize, Serialize};
+use sha2::Digest;
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
 #[cfg(feature = "arithmetic")]
@@ -32,15 +32,9 @@ use crate::{
 /// Key Type (`kty`) for elliptic curve keys.
 pub const EC_KTY: &str = "EC";
 
-/// Deserialization error message.
-const DE_ERROR_MSG: &str = "struct JwkEcKey with 5 elements";
-
 /// Name of the JWK type
 const JWK_TYPE_NAME: &str = "JwkEcKey";
 
-/// Field names
-const FIELDS: &[&str] = &["kty", "crv", "x", "y", "d"];
-
 /// Elliptic curve parameters used by JSON Web Keys.
 pub trait JwkParameters: Curve {
     /// The `crv` parameter which identifies a particular elliptic curve
@@ -62,22 +56,23 @@ pub trait JwkParameters: Curve {
 ///
 /// [1]: https://tools.ietf.org/html/rfc7518#section-6
 // TODO(tarcieri): eagerly decode or validate `x`, `y`, and `d` as Base64
-#[derive(Clone)]
+#[derive(Clone, Deserialize, Serialize)]
+#[serde(crate = "serdect::serde")]
 pub struct JwkEcKey {
     /// The `crv` parameter which identifies a particular elliptic curve
     /// as defined in RFC 7518 Section 6.2.1.1:
     /// <https://tools.ietf.org/html/rfc7518#section-6.2.1.1>
-    crv: String,
+    pub crv: String,
 
     /// The x-coordinate of the elliptic curve point which is the public key
     /// value associated with this JWK as defined in RFC 7518 6.2.1.2:
     /// <https://tools.ietf.org/html/rfc7518#section-6.2.1.2>
-    x: String,
+    pub x: String,
 
     /// The y-coordinate of the elliptic curve point which is the public key
     /// value associated with this JWK as defined in RFC 7518 6.2.1.3:
     /// <https://tools.ietf.org/html/rfc7518#section-6.2.1.3>
-    y: String,
+    pub y: String,
 
     /// The `d` ECC private key parameter as described in RFC 7518 6.2.2.1:
     /// <https://tools.ietf.org/html/rfc7518#section-6.2.2.1>
@@ -87,7 +82,85 @@ pub struct JwkEcKey {
     /// Inner value is encoded according to the `Integer-to-Octet-String`
     /// conversion as defined in SEC1 section 2.3.7:
     /// <https://www.secg.org/sec1-v2.pdf>
-    d: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub d: Option<String>,
+
+    /// Key Type (must be "EC" if present) as described in RFC 7517 4.1:
+    /// <https://datatracker.ietf.org/doc/html/rfc7517#section-4.1>
+    ///
+    /// Value is optional.
+    ///
+    /// For Elliptic-Curve the value must be "EC".
+    #[serde(deserialize_with = "deserialize_kty")]
+    pub kty: String,
+
+    /// The Public Key Use as described in RFC 7517 4.2:
+    /// <https://datatracker.ietf.org/doc/html/rfc7517#section-4.2>
+    ///
+    /// Value is optional and not used by this crate.
+    #[serde(skip_serializing_if = "Option::is_none", rename = "use")]
+    pub use_: Option<String>,
+
+    /// The Key Operations as described in RFC 7517 4.3:
+    /// <https://datatracker.ietf.org/doc/html/rfc7517#section-4.3>
+    ///
+    /// Value is optional and not used by this crate.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub key_ops: Option<alloc::vec::Vec<String>>,
+
+    /// The Algorithm as described in RFC 7517 4.4:
+    /// <https://datatracker.ietf.org/doc/html/rfc7517#section-4.4>
+    ///
+    /// Value is optional and not used by this crate.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub alg: Option<String>,
+
+    /// The Key ID as described in RFC 7517 4.5:
+    /// <https://datatracker.ietf.org/doc/html/rfc7517#section-4.5>
+    ///
+    /// Value is optional and not used by this crate.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub kid: Option<String>,
+
+    /// The X.509 URL as described in RFC 7517 4.6:
+    /// <https://datatracker.ietf.org/doc/html/rfc7517#section-4.6>
+    ///
+    /// Value is optional and not used by this crate.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub x5u: Option<String>,
+
+    /// The X.509 Certificate Chain as described in RFC 7517 4.7:
+    /// <https://datatracker.ietf.org/doc/html/rfc7517#section-4.7>
+    ///
+    /// Value is optional and not used by this crate.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub x5c: Option<String>,
+
+    /// The X.509 Certificate SHA-1 Thumbprint as described in RFC 7517 4.8:
+    /// <https://datatracker.ietf.org/doc/html/rfc7517#section-4.8>
+    ///
+    /// Value is optional and not used by this crate.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub x5t: Option<String>,
+
+    /// The X.509 Certificate SHA-256 as described in RFC 7517 4.9:
+    /// <https://datatracker.ietf.org/doc/html/rfc7517#section-4.9>
+    ///
+    /// Value is optional and not used by this crate.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub x5t_s256: Option<String>,
+}
+
+fn deserialize_kty<'de, D>(deserializer: D) -> core::result::Result<String, D::Error>
+where
+    D: serdect::serde::Deserializer<'de>,
+{
+    let kty: &str = de::Deserialize::deserialize(deserializer)?;
+    if kty != EC_KTY {
+        return Err(de::Error::custom(format!("unsupported JWK kty: {kty:?}")));
+    }
+
+    Ok(kty.to_string())
 }
 
 impl JwkEcKey {
@@ -129,11 +202,52 @@ impl JwkEcKey {
                 x: Base64Url::encode_string(x),
                 y: Base64Url::encode_string(y),
                 d: None,
+                alg: None,
+                key_ops: None,
+                kid: None,
+                kty: EC_KTY.into(),
+                use_: None,
+                x5c: None,
+                x5t: None,
+                x5t_s256: None,
+                x5u: None,
             }),
             _ => None,
         }
     }
 
+    /// Generates the thumbprint for JWK as defined in RFC 7638 (
+    /// <https://datatracker.ietf.org/doc/html/rfc7638>).
+    pub fn thumbprint(&self) -> Result<String> {
+        // For EC type the following fields are required to be
+        // present and in lexicographic order
+        #[derive(Serialize)]
+        #[serde(crate = "serdect::serde")]
+        struct Required {
+            crv: String,
+            kty: String,
+            x: String,
+            y: String,
+        }
+
+        let required_fields = Required {
+            crv: self.crv.to_owned(),
+            kty: self.kty.to_owned(),
+            x: self.x.to_owned(),
+            y: self.y.to_owned(),
+        };
+
+        let mut hasher = sha2::Sha256::new();
+        hasher.update(
+            serde_json::to_string(&required_fields)
+                .map_err(|_| Error)?
+                .as_bytes(),
+        );
+        Ok(base64ct::Base64UrlUnpadded::encode_string(
+            &hasher.finalize(),
+        ))
+    }
+
     /// Get the public key component of this JWK as a SEC1 [`EncodedPoint`].
     pub fn to_encoded_point<C>(&self) -> Result<EncodedPoint<C>>
     where
@@ -343,219 +457,6 @@ impl Zeroize for JwkEcKey {
     }
 }
 
-impl<'de> Deserialize<'de> for JwkEcKey {
-    fn deserialize<D>(deserializer: D) -> core::result::Result<Self, D::Error>
-    where
-        D: de::Deserializer<'de>,
-    {
-        /// Field positions
-        enum Field {
-            Kty,
-            Crv,
-            X,
-            Y,
-            D,
-        }
-
-        /// Field visitor
-        struct FieldVisitor;
-
-        impl<'de> de::Visitor<'de> for FieldVisitor {
-            type Value = Field;
-
-            fn expecting(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
-                fmt::Formatter::write_str(formatter, "field identifier")
-            }
-
-            fn visit_u64<E>(self, value: u64) -> core::result::Result<Self::Value, E>
-            where
-                E: de::Error,
-            {
-                match value {
-                    0 => Ok(Field::Kty),
-                    1 => Ok(Field::Crv),
-                    2 => Ok(Field::X),
-                    3 => Ok(Field::Y),
-                    4 => Ok(Field::D),
-                    _ => Err(de::Error::invalid_value(
-                        de::Unexpected::Unsigned(value),
-                        &"field index 0 <= i < 5",
-                    )),
-                }
-            }
-
-            fn visit_str<E>(self, value: &str) -> core::result::Result<Self::Value, E>
-            where
-                E: de::Error,
-            {
-                self.visit_bytes(value.as_bytes())
-            }
-
-            fn visit_bytes<E>(self, value: &[u8]) -> core::result::Result<Self::Value, E>
-            where
-                E: de::Error,
-            {
-                match value {
-                    b"kty" => Ok(Field::Kty),
-                    b"crv" => Ok(Field::Crv),
-                    b"x" => Ok(Field::X),
-                    b"y" => Ok(Field::Y),
-                    b"d" => Ok(Field::D),
-                    _ => Err(de::Error::unknown_field(
-                        &String::from_utf8_lossy(value),
-                        FIELDS,
-                    )),
-                }
-            }
-        }
-
-        impl<'de> Deserialize<'de> for Field {
-            #[inline]
-            fn deserialize<D>(__deserializer: D) -> core::result::Result<Self, D::Error>
-            where
-                D: de::Deserializer<'de>,
-            {
-                de::Deserializer::deserialize_identifier(__deserializer, FieldVisitor)
-            }
-        }
-
-        struct Visitor<'de> {
-            marker: PhantomData<JwkEcKey>,
-            lifetime: PhantomData<&'de ()>,
-        }
-
-        impl<'de> de::Visitor<'de> for Visitor<'de> {
-            type Value = JwkEcKey;
-
-            fn expecting(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
-                fmt::Formatter::write_str(formatter, "struct JwkEcKey")
-            }
-
-            #[inline]
-            fn visit_seq<A>(self, mut seq: A) -> core::result::Result<Self::Value, A::Error>
-            where
-                A: de::SeqAccess<'de>,
-            {
-                let kty = de::SeqAccess::next_element::<String>(&mut seq)?
-                    .ok_or_else(|| de::Error::invalid_length(0, &DE_ERROR_MSG))?;
-
-                if kty != EC_KTY {
-                    return Err(de::Error::custom(format!("unsupported JWK kty: {kty:?}")));
-                }
-
-                let crv = de::SeqAccess::next_element::<String>(&mut seq)?
-                    .ok_or_else(|| de::Error::invalid_length(1, &DE_ERROR_MSG))?;
-
-                let x = de::SeqAccess::next_element::<String>(&mut seq)?
-                    .ok_or_else(|| de::Error::invalid_length(2, &DE_ERROR_MSG))?;
-
-                let y = de::SeqAccess::next_element::<String>(&mut seq)?
-                    .ok_or_else(|| de::Error::invalid_length(3, &DE_ERROR_MSG))?;
-
-                let d = de::SeqAccess::next_element::<Option<String>>(&mut seq)?
-                    .ok_or_else(|| de::Error::invalid_length(4, &DE_ERROR_MSG))?;
-
-                Ok(JwkEcKey { crv, x, y, d })
-            }
-
-            #[inline]
-            fn visit_map<A>(self, mut map: A) -> core::result::Result<Self::Value, A::Error>
-            where
-                A: de::MapAccess<'de>,
-            {
-                let mut kty: Option<String> = None;
-                let mut crv: Option<String> = None;
-                let mut x: Option<String> = None;
-                let mut y: Option<String> = None;
-                let mut d: Option<String> = None;
-
-                while let Some(key) = de::MapAccess::next_key::<Field>(&mut map)? {
-                    match key {
-                        Field::Kty => {
-                            if kty.is_none() {
-                                kty = Some(de::MapAccess::next_value::<String>(&mut map)?);
-                            } else {
-                                return Err(de::Error::duplicate_field(FIELDS[0]));
-                            }
-                        }
-                        Field::Crv => {
-                            if crv.is_none() {
-                                crv = Some(de::MapAccess::next_value::<String>(&mut map)?);
-                            } else {
-                                return Err(de::Error::duplicate_field(FIELDS[1]));
-                            }
-                        }
-                        Field::X => {
-                            if x.is_none() {
-                                x = Some(de::MapAccess::next_value::<String>(&mut map)?);
-                            } else {
-                                return Err(de::Error::duplicate_field(FIELDS[2]));
-                            }
-                        }
-                        Field::Y => {
-                            if y.is_none() {
-                                y = Some(de::MapAccess::next_value::<String>(&mut map)?);
-                            } else {
-                                return Err(de::Error::duplicate_field(FIELDS[3]));
-                            }
-                        }
-                        Field::D => {
-                            if d.is_none() {
-                                d = de::MapAccess::next_value::<Option<String>>(&mut map)?;
-                            } else {
-                                return Err(de::Error::duplicate_field(FIELDS[4]));
-                            }
-                        }
-                    }
-                }
-
-                let kty = kty.ok_or_else(|| de::Error::missing_field("kty"))?;
-
-                if kty != EC_KTY {
-                    return Err(de::Error::custom(format!("unsupported JWK kty: {kty}")));
-                }
-
-                let crv = crv.ok_or_else(|| de::Error::missing_field("crv"))?;
-                let x = x.ok_or_else(|| de::Error::missing_field("x"))?;
-                let y = y.ok_or_else(|| de::Error::missing_field("y"))?;
-
-                Ok(JwkEcKey { crv, x, y, d })
-            }
-        }
-
-        de::Deserializer::deserialize_struct(
-            deserializer,
-            JWK_TYPE_NAME,
-            FIELDS,
-            Visitor {
-                marker: PhantomData::<JwkEcKey>,
-                lifetime: PhantomData,
-            },
-        )
-    }
-}
-
-impl Serialize for JwkEcKey {
-    fn serialize<S>(&self, serializer: S) -> core::result::Result<S::Ok, S::Error>
-    where
-        S: ser::Serializer,
-    {
-        use ser::SerializeStruct;
-
-        let mut state = serializer.serialize_struct(JWK_TYPE_NAME, 5)?;
-
-        for (i, field) in [EC_KTY, &self.crv, &self.x, &self.y].iter().enumerate() {
-            state.serialize_field(FIELDS[i], field)?;
-        }
-
-        if let Some(d) = &self.d {
-            state.serialize_field("d", d)?;
-        }
-
-        SerializeStruct::end(state)
-    }
-}
-
 /// Decode a Base64url-encoded field element
 fn decode_base64url_fe<C: Curve>(s: &str) -> Result<FieldBytes<C>> {
     let mut result = FieldBytes::<C>::default();
@@ -593,6 +494,30 @@ mod tests {
         }
     "#;
 
+    const JWK_PUBLIC_KEY_THUMBPRINT: &str = "_GK0r6GCoJt9zcssg9lay4obIxgCq05ntiRymRHADSU";
+
+    /// Example public key with an optional field.
+    const JWK_PUBLIC_KEY_OPTIONAL_FIELD: &str = r#"
+        {
+          "kty":"EC",
+          "crv":"P-256",
+          "x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0",
+          "y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps",
+          "alg": "ES512"
+        }
+    "#;
+
+    /// Example public key with an unknown field.
+    const JWK_PUBLIC_KEY_UNKNOWN_FIELD: &str = r#"
+        {
+          "kty":"EC",
+          "crv":"P-256",
+          "x":"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0",
+          "y":"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps",
+          "foo": "bar"
+        }
+    "#;
+
     /// Example unsupported JWK (RSA key)
     const UNSUPPORTED_JWK: &str = r#"
         {
@@ -639,15 +564,66 @@ mod tests {
     #[test]
     fn serialize_private_key() {
         let actual = JwkEcKey::from_str(JWK_PRIVATE_KEY).unwrap().to_string();
-        let expected: String = JWK_PRIVATE_KEY.split_whitespace().collect();
-        assert_eq!(actual, expected);
+        let actual: alloc::collections::BTreeMap<String, String> =
+            serde_json::from_str(&actual).unwrap();
+        let expected: alloc::collections::BTreeMap<String, String> =
+            serde_json::from_str(JWK_PRIVATE_KEY).unwrap();
+        assert_eq!(actual.get("kty").unwrap(), expected.get("kty").unwrap());
+        assert_eq!(actual.get("crv").unwrap(), expected.get("crv").unwrap());
+        assert_eq!(actual.get("x").unwrap(), expected.get("x").unwrap());
+        assert_eq!(actual.get("y").unwrap(), expected.get("y").unwrap());
+        assert_eq!(actual.get("d").unwrap(), expected.get("d").unwrap());
     }
 
     #[test]
     fn serialize_public_key() {
         let actual = JwkEcKey::from_str(JWK_PUBLIC_KEY).unwrap().to_string();
-        let expected: String = JWK_PUBLIC_KEY.split_whitespace().collect();
-        assert_eq!(actual, expected);
+        let actual: alloc::collections::BTreeMap<String, String> =
+            serde_json::from_str(&actual).unwrap();
+        let expected: alloc::collections::BTreeMap<String, String> =
+            serde_json::from_str(JWK_PUBLIC_KEY).unwrap();
+        assert_eq!(actual.get("kty").unwrap(), expected.get("kty").unwrap());
+        assert_eq!(actual.get("crv").unwrap(), expected.get("crv").unwrap());
+        assert_eq!(actual.get("x").unwrap(), expected.get("x").unwrap());
+        assert_eq!(actual.get("y").unwrap(), expected.get("y").unwrap());
+    }
+
+    #[test]
+    fn serialize_public_key_optional_field() {
+        let actual = JwkEcKey::from_str(JWK_PUBLIC_KEY_OPTIONAL_FIELD)
+            .unwrap()
+            .to_string();
+        let actual: alloc::collections::BTreeMap<String, String> =
+            serde_json::from_str(&actual).unwrap();
+        let expected: alloc::collections::BTreeMap<String, String> =
+            serde_json::from_str(JWK_PUBLIC_KEY_OPTIONAL_FIELD).unwrap();
+        assert_eq!(actual.get("kty").unwrap(), expected.get("kty").unwrap());
+        assert_eq!(actual.get("crv").unwrap(), expected.get("crv").unwrap());
+        assert_eq!(actual.get("x").unwrap(), expected.get("x").unwrap());
+        assert_eq!(actual.get("y").unwrap(), expected.get("y").unwrap());
+        assert_eq!(actual.get("alg").unwrap(), expected.get("alg").unwrap());
+    }
+
+    #[test]
+    fn serialize_public_key_unknown_field() {
+        let actual = JwkEcKey::from_str(JWK_PUBLIC_KEY_UNKNOWN_FIELD)
+            .unwrap()
+            .to_string();
+        let actual: alloc::collections::BTreeMap<String, String> =
+            serde_json::from_str(&actual).unwrap();
+        let expected: alloc::collections::BTreeMap<String, String> =
+            serde_json::from_str(JWK_PUBLIC_KEY_UNKNOWN_FIELD).unwrap();
+        assert_eq!(actual.get("kty").unwrap(), expected.get("kty").unwrap());
+        assert_eq!(actual.get("crv").unwrap(), expected.get("crv").unwrap());
+        assert_eq!(actual.get("x").unwrap(), expected.get("x").unwrap());
+        assert_eq!(actual.get("y").unwrap(), expected.get("y").unwrap());
+    }
+
+    #[test]
+    fn calculate_jwk_thumbprint() {
+        let jwk = JwkEcKey::from_str(JWK_PUBLIC_KEY).unwrap();
+        let actual = jwk.thumbprint().unwrap();
+        assert_eq!(&actual, JWK_PUBLIC_KEY_THUMBPRINT);
     }
 
     #[cfg(feature = "dev")]

From 0e43ec6d8fe83db3dd394e9459d6ac0b9fea854b Mon Sep 17 00:00:00 2001
From: Martyn <martyn@datasync.dev>
Date: Mon, 8 Apr 2024 18:10:56 +0100
Subject: [PATCH 2/3] Remove default dependency for sha2 crate

---
 Cargo.lock                | 83 ++++++++++++++++++++++-----------------
 elliptic-curve/Cargo.toml |  2 +-
 2 files changed, 47 insertions(+), 38 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 8f099192..c89a7653 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -25,9 +25,9 @@ dependencies = [
 
 [[package]]
 name = "aes"
-version = "0.8.3"
+version = "0.8.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac1f845298e95f983ff1944b728ae08b8cebab80d684f0a832ed0fc74dfa27e2"
+checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
 dependencies = [
  "cfg-if",
  "cipher 0.4.4",
@@ -63,9 +63,9 @@ dependencies = [
 
 [[package]]
 name = "autocfg"
-version = "1.1.0"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80"
 
 [[package]]
 name = "base16ct"
@@ -172,9 +172,9 @@ checksum = "514de17de45fdb8dc022b1a7975556c53c86f9f0aa5f534b98977b171857c2c9"
 
 [[package]]
 name = "cc"
-version = "1.0.83"
+version = "1.0.92"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0"
+checksum = "2678b2e3449475e95b0aa6f9b506a28e61b3dc8996592b983695e8ebb58a8b41"
 dependencies = [
  "jobserver",
  "libc",
@@ -404,9 +404,9 @@ dependencies = [
 
 [[package]]
 name = "der"
-version = "0.7.8"
+version = "0.7.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fffa369a668c8af7dbf8b5e56c9f744fbd399949ed171606040001947de40b1c"
+checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
 dependencies = [
  "const-oid 0.9.6",
  "zeroize",
@@ -557,7 +557,7 @@ dependencies = [
  "rand_core 0.6.4",
  "sec1 0.8.0-pre.1",
  "serde_json",
- "serdect",
+ "serdect 0.3.0-pre.0 (git+https://github.com/rustcrypto/formats.git)",
  "sha2 0.11.0-pre.3",
  "sha3",
  "subtle",
@@ -615,9 +615,9 @@ dependencies = [
 
 [[package]]
 name = "getrandom"
-version = "0.2.12"
+version = "0.2.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "190092ea657667030ac6a35e305e62fc4dd69fd98ac98631e5d3a2b1575a12b5"
+checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c"
 dependencies = [
  "cfg-if",
  "libc",
@@ -626,9 +626,9 @@ dependencies = [
 
 [[package]]
 name = "ghash"
-version = "0.5.0"
+version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d930750de5717d2dd0b8c0d42c076c0e884c81a73e6cab859bbd2339c71e3e40"
+checksum = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1"
 dependencies = [
  "opaque-debug",
  "polyval",
@@ -808,15 +808,15 @@ dependencies = [
 
 [[package]]
 name = "itoa"
-version = "1.0.10"
+version = "1.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c"
+checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b"
 
 [[package]]
 name = "jobserver"
-version = "0.1.27"
+version = "0.1.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8c37f63953c4c63420ed5fd3d6d398c719489b9f872b9fa683262f8edd363c7d"
+checksum = "ab46a6e9526ddef3ae7f787c06f0f2600639ba80ea3eade3d8e670a2230f51d6"
 dependencies = [
  "libc",
 ]
@@ -852,18 +852,18 @@ checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd"
 
 [[package]]
 name = "num-traits"
-version = "0.2.17"
+version = "0.2.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c"
+checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a"
 dependencies = [
  "autocfg",
 ]
 
 [[package]]
 name = "opaque-debug"
-version = "0.3.0"
+version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
+checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
 [[package]]
 name = "p256"
@@ -941,7 +941,7 @@ version = "0.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
 dependencies = [
- "der 0.7.8",
+ "der 0.7.9",
  "spki 0.7.3",
 ]
 
@@ -968,9 +968,9 @@ dependencies = [
 
 [[package]]
 name = "polyval"
-version = "0.6.1"
+version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d52cff9d1d4dee5fe6d03729099f4a310a41179e0a10dbf542039873f2e826fb"
+checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25"
 dependencies = [
  "cfg-if",
  "cpufeatures",
@@ -1087,9 +1087,9 @@ dependencies = [
 
 [[package]]
 name = "ryu"
-version = "1.0.16"
+version = "1.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f98d2aa92eebf49b69786be48e4477826b256916e84a57ff2a4f21923b48eb4c"
+checksum = "e86697c916019a8588c99b5fac3cead74ec0b4b819707a682fd4d23fa0ce1ba1"
 
 [[package]]
 name = "sec1"
@@ -1111,7 +1111,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
 dependencies = [
  "base16ct 0.2.0",
- "der 0.7.8",
+ "der 0.7.9",
  "generic-array",
  "pkcs8 0.10.2",
  "subtle",
@@ -1128,16 +1128,16 @@ dependencies = [
  "der 0.8.0-pre.0",
  "hybrid-array",
  "pkcs8 0.11.0-pre.0",
- "serdect",
+ "serdect 0.3.0-pre.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "subtle",
  "zeroize",
 ]
 
 [[package]]
 name = "serde"
-version = "1.0.196"
+version = "1.0.197"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "870026e60fa08c69f064aa766c10f10b1d62db9ccd4d0abb206472bee0ce3b32"
+checksum = "3fb1c873e1b9b056a4dc4c0c198b24c3ffa059243875552b2bd0933b1aee4ce2"
 dependencies = [
  "serde_derive",
 ]
@@ -1153,9 +1153,9 @@ dependencies = [
 
 [[package]]
 name = "serde_derive"
-version = "1.0.196"
+version = "1.0.197"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33c85360c95e7d137454dc81d9a4ed2b8efd8fbe19cee57357b32b9771fccb67"
+checksum = "7eb0b34b42edc17f6b7cac84a52a1c5f0e1bb2227e997ca9011ea3dd34e8610b"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1164,9 +1164,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.114"
+version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c5f09b1bd632ef549eaa9f60a1f8de742bdbc698e6cee2095fc84dde5f549ae0"
+checksum = "12dc5c46daa8e9fdf4f5e71b6cf9a53f2487da0e86e55808e2d35539666497dd"
 dependencies = [
  "itoa",
  "ryu",
@@ -1183,6 +1183,15 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serdect"
+version = "0.3.0-pre.0"
+source = "git+https://github.com/rustcrypto/formats.git#2961e7f43cc3a4b5f8d8ec7e3c1596095d8e8fe8"
+dependencies = [
+ "base16ct 0.2.0",
+ "serde",
+]
+
 [[package]]
 name = "sha2"
 version = "0.9.9"
@@ -1283,7 +1292,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
 dependencies = [
  "base64ct",
- "der 0.7.8",
+ "der 0.7.9",
 ]
 
 [[package]]
@@ -1310,9 +1319,9 @@ checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
 
 [[package]]
 name = "syn"
-version = "2.0.52"
+version = "2.0.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b699d15b36d1f02c3e7c69f8ffef53de37aefae075d8488d4ba1a7788d574a07"
+checksum = "44cfb93f38070beee36b3fef7d4f5a16f27751d94b187b666a5cc5e9b0d30687"
 dependencies = [
  "proc-macro2",
  "quote",
diff --git a/elliptic-curve/Cargo.toml b/elliptic-curve/Cargo.toml
index e6349f5d..66cb5479 100644
--- a/elliptic-curve/Cargo.toml
+++ b/elliptic-curve/Cargo.toml
@@ -36,7 +36,7 @@ sec1 = { version = "=0.8.0-pre.1", optional = true, features = ["subtle", "zeroi
 #serdect = { version = "=0.3.0-pre.0", optional = true, default-features = false, features = ["alloc"] }
 serdect = { git="https://github.com/rustcrypto/formats.git", optional = true, default-features = false, features = ["alloc", "derive"] }
 serde_json = { version = "1.0.114", optional = true, default-features = false, features = ["alloc"] }
-sha2 = "=0.11.0-pre.3"
+sha2 = { version = "=0.11.0-pre.3", default-features = false }
 tap = { version = "1.0.1", optional = true, default-features = false } # hack for minimal-versions support for `bits`
 
 [dev-dependencies]

From 06a74dfdc5b6389045974789c3420c0cdfb48b47 Mon Sep 17 00:00:00 2001
From: Martyn <martyn@datasync.dev>
Date: Mon, 8 Apr 2024 18:18:18 +0100
Subject: [PATCH 3/3] Squash unused qualification error in nightly

---
 elliptic-curve/src/jwk.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/elliptic-curve/src/jwk.rs b/elliptic-curve/src/jwk.rs
index 247e83b0..1667ad54 100644
--- a/elliptic-curve/src/jwk.rs
+++ b/elliptic-curve/src/jwk.rs
@@ -155,7 +155,7 @@ fn deserialize_kty<'de, D>(deserializer: D) -> core::result::Result<String, D::E
 where
     D: serdect::serde::Deserializer<'de>,
 {
-    let kty: &str = de::Deserialize::deserialize(deserializer)?;
+    let kty: &str = Deserialize::deserialize(deserializer)?;
     if kty != EC_KTY {
         return Err(de::Error::custom(format!("unsupported JWK kty: {kty:?}")));
     }