Skip to content

chore(rng): clean support crates off direct legacy rand deps#245

Merged
EffortlessSteven merged 1 commit into
mainfrom
rng-support-cleanup
Mar 13, 2026
Merged

chore(rng): clean support crates off direct legacy rand deps#245
EffortlessSteven merged 1 commit into
mainfrom
rng-support-cleanup

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

This is PR 3 in the RNG upgrade lane, stacked on top of #244.

It cleans up support crates that were still depending directly on the legacy rand line even though they no longer need to.

What changed

  • remove direct legacy rand_core / rand_chacha dependencies from the fuzz crate
  • update fuzz targets to the current seed-oriented helper APIs introduced by refactor(rng): hide rand ABI behind seed boundaries #243 and moved to rand 0.10 by refactor(rng): move seed and helper crates to rand 0.10 #244
  • remove unused legacy rand deps from uselesskey-bdd-steps
  • fix core_token_shape_steps to import Seed from uselesskey-core instead of an optional crate gate that is not enabled by uk-core-token-shape
  • remove the rand_core dev-dependency from uselesskey-rustcrypto
  • keep RSA-PSS test coverage by using rsa's own re-exported rand_core::OsRng instead of a workspace-level direct dependency

Why this PR exists separately

The helper/core migration in #244 is the real dual-stack topology shift.

This PR is follow-up cleanup around local/test/support code:

  • fuzz targets had drifted behind the new seed-based helper signatures
  • bdd-steps still carried stale direct rand deps
  • uselesskey-rustcrypto only needed legacy rand for a test-local OsRng helper

Keeping this separate makes the review boundary cleaner and avoids mixing support cleanup into the dependency-topology PR.

Testing

  • cargo test -p uselesskey-rustcrypto --features all --test rustcrypto_cross_verify
  • cargo test -p uselesskey-bdd-steps --features uk-core-token-shape --no-run
  • cargo check --manifest-path fuzz/Cargo.toml --bins
  • cargo xtask gate

Notes

This still does not converge the workspace on one RNG line.
The remaining legacy island is still the stable crypto edge and its transitive users:

  • uselesskey-rsa
  • uselesskey-ed25519
  • uselesskey-ecdsa
  • uselesskey-pgp
  • uselesskey-x509
  • test-only proptest still brings rand 0.9

@coderabbitai

coderabbitai Bot commented Mar 13, 2026

Copy link
Copy Markdown

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 837c645a-9d1b-4448-849a-e8f40bf0cb06

📥 Commits

Reviewing files that changed from the base of the PR and between 82f763c and 7347a2e.

⛔ Files ignored due to path filters (2)
  • Cargo.lock is excluded by !**/*.lock
  • fuzz/Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (10)
  • crates/uselesskey-bdd-steps/Cargo.toml
  • crates/uselesskey-bdd-steps/src/steps/core_token_shape_steps.rs
  • crates/uselesskey-rustcrypto/Cargo.toml
  • crates/uselesskey-rustcrypto/tests/rustcrypto_cross_verify.rs
  • fuzz/Cargo.toml
  • fuzz/fuzz_targets/core_factory_cache.rs
  • fuzz/fuzz_targets/factory_concurrent_access.rs
  • fuzz/fuzz_targets/fuzz_factory_concurrent.rs
  • fuzz/fuzz_targets/fuzz_factory_stress.rs
  • fuzz/fuzz_targets/fuzz_label_edge_cases.rs

Summary by CodeRabbit

  • Chores
    • Removed redundant workspace dependencies and unused imports across multiple crates.
    • Updated internal module references to improve dependency resolution.

Walkthrough

A refactoring that consolidates RNG/seed functionality by removing workspace dependencies on rand_chacha and rand_core, updating import paths to use uselesskey_core::Seed, and standardizing closure parameters in fuzz targets from rng to seed.

Changes

Cohort / File(s) Summary
Workspace dependency cleanup
crates/uselesskey-bdd-steps/Cargo.toml, crates/uselesskey-rustcrypto/Cargo.toml, fuzz/Cargo.toml
Removed workspace-scoped rand_chacha and rand_core dependencies, consolidating dependency resolution patterns across crates.
Import path consolidation
crates/uselesskey-bdd-steps/src/steps/core_token_shape_steps.rs
Updated Seed import path from uselesskey_core_seed to uselesskey_core, reflecting module restructuring.
Test dependency reference update
crates/uselesskey-rustcrypto/tests/rustcrypto_cross_verify.rs
Updated rng() function to reference rsa::rand_core::OsRng instead of rand_core::OsRng for test compatibility.
Fuzz target seed refactoring
fuzz/fuzz_targets/core_factory_cache.rs, fuzz/fuzz_targets/factory_concurrent_access.rs, fuzz/fuzz_targets/fuzz_factory_concurrent.rs, fuzz/fuzz_targets/fuzz_factory_stress.rs, fuzz/fuzz_targets/fuzz_label_edge_cases.rs
Renamed closure parameters from rng to seed and updated fill_bytes() calls accordingly; removed unused rand_core::RngCore imports to align with seed-based approach.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • uselesskey#243: Small follow-up adjustments aligned with seed/RNG boundary changes, including workspace dependency flag removal and import path updates to uselesskey_core::Seed.

Poem

🐰 Seeds are planted where RNG once grew,
Dependencies pruned, the imports anew,
From rng to seed, the parameters dance,
A tidy refactor—what a hopping romance! 🌱

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch rng-support-cleanup
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist

Copy link
Copy Markdown

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on refining the Random Number Generation (RNG) dependency landscape within support crates. It systematically removes direct dependencies on older rand versions where they are no longer necessary, particularly within fuzzing targets and BDD steps. The changes also involve updating internal APIs to use a more consistent seed-oriented approach, ensuring that testing and support code aligns with the latest RNG infrastructure. This cleanup is a crucial step in a broader RNG upgrade, isolating support code adjustments from core dependency topology shifts.

Highlights

  • Dependency Cleanup: Removed direct legacy rand_core and rand_chacha dependencies from the fuzz crate and uselesskey-bdd-steps.
  • Fuzz Target Updates: Updated fuzz targets to align with the current seed-oriented helper APIs, migrating away from direct rand_core::RngCore usage.
  • Import Path Correction: Corrected the import path for Seed in core_token_shape_steps to use uselesskey_core instead of uselesskey_core_seed.
  • RustCrypto Cleanup: Removed the rand_core dev-dependency from uselesskey-rustcrypto and adjusted RSA-PSS tests to use rsa's re-exported rand_core::OsRng.
  • Dependency Version Bumps: Updated various package versions in Cargo.lock, including crypto-common, getrandom, libc, once_cell, quote, r-efi, tempfile, zerocopy, and uselesskey core crates.
Changelog
  • Cargo.lock
    • Removed direct rand_chacha and rand_core dependencies.
    • Updated crypto-common from 0.1.6 to 0.1.7.
    • Updated getrandom from 0.4.1 to 0.4.2.
    • Updated libc from 0.2.182 to 0.2.183.
    • Updated once_cell from 1.21.3 to 1.21.4.
    • Updated quote from 1.0.44 to 1.0.45.
    • Updated r-efi versions.
    • Added rand 0.10.0, rand_chacha 0.10.0, rand_core 0.10.0 as new top-level packages.
    • Updated tempfile from 3.26.0 to 3.27.0.
    • Updated uselesskey and its core sub-crates from 0.1.0 to 0.3.0.
    • Removed rand_chacha and rand_core from uselesskey-core dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0, uselesskey-core-seed to uselesskey-core-base62 dependencies.
    • Replaced rand_chacha and rand_core with rand 0.10.0 in uselesskey-core-factory dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0 to uselesskey-core-seed dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0, uselesskey-core-seed to uselesskey-core-token-shape dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0, uselesskey-core-seed to uselesskey-core-x509-derive dependencies.
    • Added rand_chacha 0.3.1, rand_core 0.6.4 to uselesskey-ecdsa dependencies.
    • Removed rand_core from uselesskey-ed25519 dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0 to uselesskey-hmac dependencies.
    • Added rand_chacha 0.3.1, rand_core 0.6.4 to uselesskey-pgp dependencies.
    • Added rand_chacha 0.3.1, rand_core 0.6.4 to uselesskey-rsa dependencies.
    • Added rand_chacha 0.3.1, rand_core 0.6.4 to uselesskey-x509 dependencies.
    • Updated zerocopy and zerocopy-derive from 0.8.39 to 0.8.42.
  • crates/uselesskey-bdd-steps/Cargo.toml
    • Removed direct rand_chacha.workspace = true and rand_core.workspace = true dependencies.
  • crates/uselesskey-bdd-steps/src/steps/core_token_shape_steps.rs
    • Updated the import path for Seed from uselesskey_core_seed to uselesskey_core.
  • crates/uselesskey-rustcrypto/Cargo.toml
    • Removed the rand_core.workspace = true dependency.
  • crates/uselesskey-rustcrypto/tests/rustcrypto_cross_verify.rs
    • Updated the rng function signature and body to use rsa::rand_core::OsRng.
  • fuzz/Cargo.lock
    • Removed direct rand_chacha and rand_core dependencies.
    • Updated crypto-common from 0.1.6 to 0.1.7.
    • Updated getrandom from 0.4.1 to 0.4.2.
    • Updated libc from 0.2.182 to 0.2.183.
    • Updated once_cell from 1.21.3 to 1.21.4.
    • Updated quote from 1.0.44 to 1.0.45.
    • Updated r-efi versions.
    • Added rand 0.10.0, rand_chacha 0.10.0, rand_core 0.10.0 as new top-level packages.
    • Updated tempfile from 3.26.0 to 3.27.0.
    • Updated uselesskey and its core sub-crates from 0.1.0 to 0.3.0.
    • Removed rand_chacha and rand_core from uselesskey-core dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0, uselesskey-core-seed to uselesskey-core-base62 dependencies.
    • Replaced rand_chacha and rand_core with rand 0.10.0 in uselesskey-core-factory dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0 to uselesskey-core-seed dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0, uselesskey-core-seed to uselesskey-core-token-shape dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0, uselesskey-core-seed to uselesskey-core-x509-derive dependencies.
    • Added rand_chacha 0.3.1, rand_core 0.6.4 to uselesskey-ecdsa dependencies.
    • Removed rand_core from uselesskey-ed25519 dependencies.
    • Added rand_chacha 0.10.0, rand_core 0.10.0 to uselesskey-hmac dependencies.
    • Added rand_chacha 0.3.1, rand_core 0.6.4 to uselesskey-pgp dependencies.
    • Added rand_chacha 0.3.1, rand_core 0.6.4 to uselesskey-rsa dependencies.
    • Added rand_chacha 0.3.1, rand_core 0.6.4 to uselesskey-x509 dependencies.
    • Updated zerocopy and zerocopy-derive from 0.8.39 to 0.8.42.
  • fuzz/Cargo.toml
    • Removed direct rand_core and rand_chacha dependencies.
  • fuzz/fuzz_targets/core_factory_cache.rs
    • Removed rand_core::RngCore import.
    • Updated factory.get_or_init closures to use seed parameter instead of rng.
  • fuzz/fuzz_targets/core_token_shape.rs
    • Removed rand_chacha::ChaCha20Rng and rand_core::SeedableRng imports.
    • Added uselesskey::Seed import.
    • Replaced ChaCha20Rng::from_seed with Seed::new.
    • Updated token generation functions to accept Seed directly.
  • fuzz/fuzz_targets/factory_concurrent_access.rs
    • Removed rand_core::RngCore import.
    • Updated fx.get_or_init closures to use seed parameter instead of rng.
  • fuzz/fuzz_targets/fuzz_factory_concurrent.rs
    • Removed rand_core::RngCore import.
    • Updated fx.get_or_init closures to use seed parameter instead of rng.
  • fuzz/fuzz_targets/fuzz_factory_stress.rs
    • Removed rand_core::RngCore import.
    • Updated fx.get_or_init closures to use seed parameter instead of rng.
  • fuzz/fuzz_targets/fuzz_label_edge_cases.rs
    • Removed rand_core::RngCore import.
    • Updated factory.get_or_init closures to use seed parameter instead of rng.
  • fuzz/fuzz_targets/fuzz_token_shape.rs
    • Removed rand_chacha::ChaCha20Rng and rand_core::SeedableRng imports.
    • Added uselesskey::Seed import.
    • Replaced ChaCha20Rng::from_seed with Seed::new.
    • Updated token generation functions to accept Seed directly.
  • fuzz/fuzz_targets/token_shape.rs
    • Removed rand_chacha::ChaCha20Rng and rand_core::SeedableRng imports.
    • Added uselesskey::Seed import.
    • Replaced ChaCha20Rng::from_seed with Seed::new.
    • Updated token generation functions to accept Seed directly.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

The pull request updates various dependencies, including rand and libc crates, and upgrades several uselesskey-* crates from version 0.1.0 to 0.3.0. A significant refactoring was done to centralize random number generation (RNG) and seeding logic by introducing a Seed type from uselesskey-core and removing direct rand_core and rand_chacha dependencies from many Cargo.toml files and fuzz targets. The review comments highlight an improvement opportunity in the fuzz tests, suggesting that multiple token generations within a single fuzz target should derive unique seeds from the initial input seed to ensure independent randomness and improve fuzzing effectiveness, rather than reusing the same seed for each generation.

Comment on lines 45 to 58
// Exercise individual generators with fuzz-derived label.
let mut rng_api = ChaCha20Rng::from_seed(input.seed);
let api = generate_api_key(&mut rng_api);
let api = generate_api_key(seed);
assert!(api.starts_with("uk_test_"));

let mut rng_bearer = ChaCha20Rng::from_seed(input.seed);
let bearer = generate_bearer_token(&mut rng_bearer);
let bearer = generate_bearer_token(seed);
assert_eq!(bearer.len(), 43);

let mut rng_oauth = ChaCha20Rng::from_seed(input.seed);
let oauth = generate_oauth_access_token(&input.label, &mut rng_oauth);
let oauth = generate_oauth_access_token(&input.label, seed);
assert_eq!(oauth.matches('.').count(), 2);

// Exercise random_base62 with fuzz-derived length.
let len = input.base62_len as usize;
let mut rng_b62 = ChaCha20Rng::from_seed(input.seed);
let b62 = random_base62(&mut rng_b62, len);
let b62 = random_base62(seed, len);
assert_eq!(b62.len(), len);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The fuzz test generates several token types (api, bearer, oauth, b62) using the same seed. This means the randomness used for each token is not independent, as each generation function will re-seed an RNG with the same value and produce correlated random streams. This reduces the effectiveness of the fuzzing. To improve this, you should derive a unique seed for each token generation.

    // Exercise individual generators with fuzz-derived label.
    let api_seed = uselesskey_core_id::derive_seed(&seed, &uselesskey_core_id::ArtifactId::new("fuzz", "api", &[], "v1", uselesskey_core_id::DerivationVersion::V1));
    let api = generate_api_key(api_seed);
    assert!(api.starts_with("uk_test_"));

    let bearer_seed = uselesskey_core_id::derive_seed(&seed, &uselesskey_core_id::ArtifactId::new("fuzz", "bearer", &[], "v1", uselesskey_core_id::DerivationVersion::V1));
    let bearer = generate_bearer_token(bearer_seed);
    assert_eq!(bearer.len(), 43);

    let oauth_seed = uselesskey_core_id::derive_seed(&seed, &uselesskey_core_id::ArtifactId::new("fuzz", "oauth", &[], "v1", uselesskey_core_id::DerivationVersion::V1));
    let oauth = generate_oauth_access_token(&input.label, oauth_seed);
    assert_eq!(oauth.matches('.').count(), 2);

    // Exercise random_base62 with fuzz-derived length.
    let len = input.base62_len as usize;
    let b62_seed = uselesskey_core_id::derive_seed(&seed, &uselesskey_core_id::ArtifactId::new("fuzz", "b62", &[], "v1", uselesskey_core_id::DerivationVersion::V1));
    let b62 = random_base62(b62_seed, len);
    assert_eq!(b62.len(), len);

Comment on lines 19 to 39
// Fuzz random_base62 with arbitrary lengths (capped to avoid OOM).
let len = input.base62_len as usize;
let mut rng = ChaCha20Rng::from_seed(input.seed);
let token = random_base62(&mut rng, len);
let seed = Seed::new(input.seed);
let token = random_base62(seed, len);
assert_eq!(token.len(), len);
assert!(token.chars().all(|c| c.is_ascii_alphanumeric()));

// Determinism: same seed + same length = same output.
let mut rng2 = ChaCha20Rng::from_seed(input.seed);
let token2 = random_base62(&mut rng2, len);
let token2 = random_base62(seed, len);
assert_eq!(token, token2);

// Fuzz individual generators.
let mut rng_api = ChaCha20Rng::from_seed(input.seed);
let api = generate_api_key(&mut rng_api);
let api = generate_api_key(seed);
assert!(api.starts_with("uk_test_"));

let mut rng_bearer = ChaCha20Rng::from_seed(input.seed);
let bearer = generate_bearer_token(&mut rng_bearer);
let bearer = generate_bearer_token(seed);
assert_eq!(bearer.len(), 43);

let label = String::from_utf8_lossy(&input.label_bytes);
let mut rng_oauth = ChaCha20Rng::from_seed(input.seed);
let oauth = generate_oauth_access_token(&label, &mut rng_oauth);
let oauth = generate_oauth_access_token(&label, seed);
assert_eq!(oauth.matches('.').count(), 2);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The fuzz test generates several token types (random_base62, api, bearer, oauth) using the same seed. This means the randomness used for each token is not independent, as each generation function will re-seed an RNG with the same value and produce correlated random streams. This reduces the effectiveness of the fuzzing. To improve this, you should derive a unique seed for each token generation.

    // Fuzz random_base62 with arbitrary lengths (capped to avoid OOM).
    let len = input.base62_len as usize;
    let seed = Seed::new(input.seed);

    let b62_seed = uselesskey_core_id::derive_seed(&seed, &uselesskey_core_id::ArtifactId::new("fuzz", "b62", &[], "v1", uselesskey_core_id::DerivationVersion::V1));
    let token = random_base62(b62_seed, len);
    assert_eq!(token.len(), len);
    assert!(token.chars().all(|c| c.is_ascii_alphanumeric()));

    // Determinism: same seed + same length = same output.
    let token2 = random_base62(b62_seed, len);
    assert_eq!(token, token2);

    // Fuzz individual generators.
    let api_seed = uselesskey_core_id::derive_seed(&seed, &uselesskey_core_id::ArtifactId::new("fuzz", "api", &[], "v1", uselesskey_core_id::DerivationVersion::V1));
    let api = generate_api_key(api_seed);
    assert!(api.starts_with("uk_test_"));

    let bearer_seed = uselesskey_core_id::derive_seed(&seed, &uselesskey_core_id::ArtifactId::new("fuzz", "bearer", &[], "v1", uselesskey_core_id::DerivationVersion::V1));
    let bearer = generate_bearer_token(bearer_seed);
    assert_eq!(bearer.len(), 43);

    let label = String::from_utf8_lossy(&input.label_bytes);
    let oauth_seed = uselesskey_core_id::derive_seed(&seed, &uselesskey_core_id::ArtifactId::new("fuzz", "oauth", &[], "v1", uselesskey_core_id::DerivationVersion::V1));
    let oauth = generate_oauth_access_token(&label, oauth_seed);
    assert_eq!(oauth.matches('.').count(), 2);

@EffortlessSteven EffortlessSteven changed the base branch from rng-dual-stack to main March 13, 2026 05:06
@EffortlessSteven EffortlessSteven merged commit fb5d0a1 into main Mar 13, 2026
3 of 4 checks passed
@EffortlessSteven EffortlessSteven deleted the rng-support-cleanup branch March 13, 2026 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant