topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

docs(audit): add feasibility report for webauthn-rs and webpki-roots remediation

pull/6727/head
kalvinparker 3 months ago
parent
6ed3d31cc0
commit
d9db30e4b9
1 changed files with 96 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 96
      issues/FEASIBILITY-WEBAUTHN-WEBPKI.md

96
issues/FEASIBILITY-WEBAUTHN-WEBPKI.md
View File

@ -0,0 +1,96 @@
Feasibility report: webauthn-rs (MPL-2.0) and webpki-roots (CDLA-Permissive-2.0)
Date: 2025-11-09
Branch: remediations/audit-2025-11-09
Summary
-------
This short report captures the dependency graph findings and remediation options for the two license clusters discovered by cargo-deny:
- webauthn-rs family (webauthn-rs, webauthn-rs-core, webauthn-rs-proto, webauthn-attestation-ca) — license: MPL-2.0
- webpki-roots — license: CDLA-Permissive-2.0 (pulled transitively via `reqwest` / `hyper-rustls` in our graph)
Reverse-dependency findings (what pulled them into the workspace)
---------------------------------------------------------------
- `webauthn-rs v0.5.3` is a direct dependency in `Cargo.toml` (we use features: `danger-allow-state-serialisation`, `danger-credential-internals`).
- Reverse deps: `webauthn-rs v0.5.3` -> `vaultwarden v1.0.0` (direct)
- `webpki-roots v1.0.3` is transitive via the HTTP/TLS stack:
- webpki-roots v1.0.3 -> hyper-rustls v0.27.7 -> reqwest v0.12.24 -> openidconnect v4.0.1 -> vaultwarden v1.0.0
- reqwest is also used in other paths (opendal, yubico-ng, etc.) so webpki-roots appears multiple times transitively.
Feasibility and remediation options (short)
-------------------------------------------
For each cluster below I list pragmatic options, effort estimate, and recommended next action.
1) webauthn-rs (MPL-2.0)
Options:
- Upgrade: check whether `webauthn-rs` publishes a newer version with a different license. If a newer release exists that uses a more permissive license (or is relicensed), upgrade and test. Effort: low-to-moderate (run `cargo update -p webauthn-rs` and run tests; review any breaking API/behaviour changes).
- Replace: adopt an alternative WebAuthn crate or implement minimal functionality in-house. Effort: medium-to-high depending on coverage and features used (we currently enable two non-trivial features).
- Vendor / shim: vendor the needed logic into the repo (or a small wrapper using a different crypto backend) and maintain it as in-tree or as a local crate. Effort: medium; maintenance burden shifts to the project.
- Per-crate exception: timeboxed exception for `webauthn-rs*` in `deny.toml`. Effort: trivial config change but increases audit scope (temporary).
Likelihood / comments:
- Because `webauthn-rs` is a direct dependency and we enable special features for state/credential internals, replacing it may be disruptive.
- First attempt should be: verify upstream for newer versions (minor patch/feature releases), test upgrade locally, and evaluate behavior differences.
Recommended immediate action for webauthn-rs:
- Run `cargo search` / check crates.io for `webauthn-rs` releases (manual step / maintainers action).
- Locally try `cargo update -p webauthn-rs` then run the test suite and exercise WebAuthn flows.
- If upgrade is not available or disruptive, open a narrow, documented, timeboxed per-crate exception for the `webauthn-rs` family while planning a replacement path.
2) webpki-roots (CDLA-Permissive-2.0)
Options:
- Swap TLS backend or reqwest features: `reqwest` supports multiple TLS backends (rustls vs native-tls) and root-store options (webpki-roots vs system roots). Switching to `native-tls` or `rustls` variant with system roots might eliminate the `webpki-roots` dependency.
- Upgrade reqwest / hyper-rustls: newer versions may use different transitive root crates; attempt `cargo update -p reqwest` and `cargo update -p hyper-rustls` and test.
- Replace or vendor: if a dependency requires `webpki-roots` specifically and cannot be changed, consider an explicit per-crate exception or select alternative upstream crates that avoid CDLA.
Likelihood / comments:
- Because `webpki-roots` is pulled in by `reqwest`/`hyper-rustls`, a small change in reqwest features (switching to native-tls) or upgrading reqwest often avoids webpki-roots. This is generally low-to-moderate effort.
Recommended immediate action for webpki-roots:
- Try switching `reqwest` features (in `Cargo.toml`) to use `native-tls` (or system roots) and run `cargo update` and the test suite.
- Alternatively, try `cargo update -p reqwest` and `cargo update -p hyper-rustls` to bring in newer upstream transitive changes, then re-run `cargo-deny`.
Commands to try (local dev / CI experimentation)
------------------------------------------------
# In a branch / local dev container
# 1) Try upgrading webauthn-rs
cargo update -p webauthn-rs
cargo test
# 2) Try upgrading reqwest/hyper-rustls
cargo update -p reqwest
cargo update -p hyper-rustls
cargo test
# 3) Try switching reqwest TLS features to native-tls (edit Cargo.toml):
# reqwest = { version = "0.12.24", features = ["native-tls", "stream", "json", ...], default-features = false }
cargo update
cargo test
# 4) Re-run the audit after any change
# (inside audit container or CI) - this verifies cargo-deny results
/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses --format json
Risk assessment & policy suggestion
----------------------------------
- Short-term: a documented, timeboxed, per-crate exception for the webauthn-rs family and/or webpki-roots is acceptable to unblock CI while we attempt upgrades. However, because `webauthn-rs` is a direct dependency and non-trivial, invest effort to try an upgrade/replacement within a short timeline (30-90 days).
- Medium-term: prefer dependency upgrades or swapping reqwest TLS options over perpetual exceptions. Upgrades reduce maintenance debt and long-term audit risk.
Deliverables included with this report
-------------------------------------
- Reverse dependency outputs captured in `docker/audit/output/webauthn-tree.txt` and `docker/audit/output/webpki-tree.txt`.
- License triage CSV: `docker/audit/output/license_triage_2025-11-09.csv`.
- Recommended commands and next steps (above).
If you want, I can attempt the low-risk experiments now:
- Try `cargo update -p reqwest` and re-run `cargo-deny` (low effort, downloads crates), or
- Try `cargo update -p webauthn-rs` and run test suite (may require exercising WebAuthn flows).
Next suggested step
-------------------
Run the quick experiment: upgrade `reqwest` (and hyper-rustls) in a temporary branch, re-run `cargo-deny` and tests, and report the results. This often removes `webpki-roots` without deeper changes.
Write Preview
Loading…
Cancel
Save