Update direct libsecp256k1 dependencies (#2456)

## Proposed Changes * Remove direct dependencies on vulnerable `libsecp256k1 0.3.5` * Ignore the RUSTSEC issue until it is resolved in #2389
2026-03-03 00:31:50 +00:00 · 2021-07-14 05:24:10 +00:00
parent fc4c611476
commit 8fa6e463ca
6 changed files with 72 additions and 13 deletions
--- a/common/eth2/Cargo.toml
+++ b/common/eth2/Cargo.toml
@@ -17,7 +17,7 @@ proto_array = { path = "../../consensus/proto_array", optional = true }
 serde_utils = { path = "../../consensus/serde_utils" }
 zeroize = { version = "1.1.1", features = ["zeroize_derive"] }
 eth2_keystore = { path = "../../crypto/eth2_keystore" }
-libsecp256k1 = "0.3.5"
+libsecp256k1 = "0.5.0"
 ring = "0.16.19"
 bytes = "1.0.1"
 account_utils = { path = "../../common/account_utils" }
--- a/common/eth2/src/lighthouse_vc/http_client.rs
+++ b/common/eth2/src/lighthouse_vc/http_client.rs
@@ -2,12 +2,12 @@ use super::{types::*, PK_LEN, SECRET_PREFIX};
 use crate::Error;
 use account_utils::ZeroizeString;
 use bytes::Bytes;
+use libsecp256k1::{Message, PublicKey, Signature};
 use reqwest::{
    header::{HeaderMap, HeaderValue},
    IntoUrl,
 };
 use ring::digest::{digest, SHA256};
-use secp256k1::{Message, PublicKey, Signature};
 use sensitive_url::SensitiveUrl;
 use serde::{de::DeserializeOwned, Serialize};

@@ -94,7 +94,7 @@ impl ValidatorClientHttpClient {
            .ok()
            .and_then(|bytes| {
                let sig = Signature::parse_der(&bytes).ok()?;
-                Some(secp256k1::verify(&message, &sig, &self.server_pubkey))
+                Some(libsecp256k1::verify(&message, &sig, &self.server_pubkey))
            })
            .filter(|is_valid| *is_valid)
            .ok_or(Error::InvalidSignatureHeader)?;