From ee1c4e5e76c7f98754e399eb3051837046f8df82 Mon Sep 17 00:00:00 2001
From: Mariappan Ramasamy
 <142989797+expressvpn-mariappan-r@users.noreply.github.com>
Date: Wed, 30 Aug 2023 15:14:48 +0800
Subject: [PATCH 1/2] Add cargo deny to audit licenses of dependencies

- Add earthly target `check-license` for checking licenses
- Update github actions to `cargo deny licenses sources bans` on every pr excluding advisories
- Add github action nightly job to run `cargo deny` including advisories
---
 .github/workflows/ci.yaml                 |  7 ++++
 .github/workflows/nightly-cargo-deny.yaml | 12 ++++++
 Earthfile                                 |  5 +++
 deny.toml                                 | 51 +++++++++++++++++++++++
 4 files changed, 75 insertions(+)
 create mode 100644 .github/workflows/nightly-cargo-deny.yaml
 create mode 100644 deny.toml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 53a5486..b1dcc4c 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -31,3 +31,10 @@ jobs:
       - uses: actions/checkout@v3
       - name: Lint crate
         run: earthly --ci +lint
+  cargo-deny:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          command: check bans licenses sources
diff --git a/.github/workflows/nightly-cargo-deny.yaml b/.github/workflows/nightly-cargo-deny.yaml
new file mode 100644
index 0000000..c65aa79
--- /dev/null
+++ b/.github/workflows/nightly-cargo-deny.yaml
@@ -0,0 +1,12 @@
+name: Nightly `cargo deny` checks
+on:
+  schedule:
+    - cron:  '17 6 * * *'
+  workflow_dispatch:
+
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: EmbarkStudios/cargo-deny-action@v1
diff --git a/Earthfile b/Earthfile
index fe11661..23995cc 100644
--- a/Earthfile
+++ b/Earthfile
@@ -42,3 +42,8 @@ lint:
     RUN rustup component add clippy
     RUN apt-get install -qqy bsdextrautils
     RUN cargo clippy --all-features --all-targets -- -D warnings
+
+check-license:
+    RUN cargo install --locked cargo-deny
+    COPY --dir src tests Cargo.toml Cargo.lock deny.toml ./
+    RUN cargo deny --all-features check bans license sources
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..98ec7bb
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,51 @@
+[advisories]
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+vulnerability = "deny"
+unmaintained = "deny"
+yanked = "deny"
+notice = "deny"
+ignore = [
+    #"RUSTSEC-0000-0000",
+]
+# * None - CVSS Score 0.0
+# * Low - CVSS Score 0.1 - 3.9
+# * Medium - CVSS Score 4.0 - 6.9
+# * High - CVSS Score 7.0 - 8.9
+# * Critical - CVSS Score 9.0 - 10.0
+severity-threshold = "High"
+
+[licenses]
+default = "deny"
+copyleft = "deny"
+unlicensed = "deny"
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Unicode-DFS-2016",
+    "BSD-3-Clause",
+    "ISC",
+]
+allow-osi-fsf-free = "neither"
+confidence-threshold = 0.8
+exceptions = [
+    { name = "wolfssl-sys", allow = ["GPL-2.0"], version = "*" },
+]
+
+[licenses.private]
+ignore = true
+
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+highlight = "all"
+workspace-default-features = "allow"
+external-default-features = "allow"
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = [
+  "https://github.com/open-quantum-safe/liboqs-rust",
+]

From f8aaa2d6996cf1d67afb0c816d247ed96270fbcb Mon Sep 17 00:00:00 2001
From: Mariappan Ramasamy
 <142989797+expressvpn-mariappan-r@users.noreply.github.com>
Date: Thu, 31 Aug 2023 18:05:05 +0800
Subject: [PATCH 2/2] Update outdated test.openquantumsafe.org ca cert

---
 examples/test_certs/pq-osa-ca.crt | 54 +++++++++++++++----------------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/examples/test_certs/pq-osa-ca.crt b/examples/test_certs/pq-osa-ca.crt
index 9b7d8a1..5d9545a 100644
--- a/examples/test_certs/pq-osa-ca.crt
+++ b/examples/test_certs/pq-osa-ca.crt
@@ -1,29 +1,29 @@
 -----BEGIN CERTIFICATE-----
-MIIFCzCCAvOgAwIBAgIUavME2jj8LFyR4tz95Uc8eKKrYmswDQYJKoZIhvcNAQEL
-BQAwFTETMBEGA1UEAwwKb3FzdGVzdF9DQTAeFw0yMjA3MzEwOTQ5NThaFw0yMzEy
-MTMwOTQ5NThaMBUxEzARBgNVBAMMCm9xc3Rlc3RfQ0EwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQDuURsbjnFzcUIISF/8zse/DgLAaHf6hdxlqZvTwZKV
-+4pu1IAsKNgzLXYLqbtaKP96IdRscBLcWitp4o+SEYyFsrrTF4N35HtALbkQpDKO
-nIVj7Mlt+dvKRLgT5Ll6VQSzmsgqhENabwb1XSpmMlV29VAilseNXOe8uhNjnEPW
-ZJ5AFESJZx3ltIA1pqUrt/uIQhvlswRdKssyk/AoZjuA+Ybz628PeV4u3q4lc3sZ
-xDRb1HY5kotd/nlwI1JQqGpJvsUjKAFLgF5QiCIxix5JXNHgf2h/0thhqkjLq3BF
-wpKIJZW2WwW0F3TS1ourmT619+XrDs+3q0d3WtXY1iwNf6PYqbxpNfqKgzw7oULA
-MduAlfTeCDpem13JkdJpl/1cQt+1nrLyiOwEGCpmdo0jBwcUr355Oqe9HQY24VOj
-rOLmMZIIBiA759hXyK7HBn7+TtqNVRRgZoO+4a4WRqLHJ3qQHAfjQmL6mVhGCUC0
-e7gqtp92wOVn3J6SXlIbclvyfQJKoTJLEz83IXjUKgV1BqYZ/UdjoA+aZmDSRSMc
-CvmyzyA3takr2hkhJf70duPlzcxgIhchoZKtiGb7xpGvwQN8xpkbKxeXQaAPUVyg
-RGRoG0pCtpzWAYkt9hHIMKiYUHvi0aNMDptKKNLGCqnaCcwqb1LyVZyxZ+EoLj8K
-FwIDAQABo1MwUTAdBgNVHQ4EFgQUN1SCM+6DvXQ0K9rpAV9SJbqzY7QwHwYDVR0j
-BBgwFoAUN1SCM+6DvXQ0K9rpAV9SJbqzY7QwDwYDVR0TAQH/BAUwAwEB/zANBgkq
-hkiG9w0BAQsFAAOCAgEABponyfODLkcG5WHP9PrRNn0OmPl7DI6UBhS/N6SxvwN6
-Fe/TPu1qYYFZOvPx57CJZOZvroOQ024CTtj/EO8B+JFFT6EHjYvC0FH9Z+Hyo5MP
-fd2GAIRJhh+Jo+PMTIxg6ToZhPbNto4OLyY6qcmJyz+WwJ01VwSGIrZef9nb5a3+
-wNlOHOnbfZh0IkIss6n3bGq9s+fx42+jdrMPxaBY0L1xtuMDodjcLlzlmOySmfBV
-KbdppbYsnv3kAe2cqpL37UraIo/jER5BQbAmkh8qKZ66X9JnQaiPFqcAbEb1tqDL
-XSlkWJiTV6E9k3FaULiE93WvFB/JLwkiAZhLzU3JyTJkfD0tMVF8NL1q2g2/RtGg
-BWjxfY3YYk9Pcm09jbVxVuvSI/PqjAs9Tw1P6gJYq2ZbCC0ssSLAHLMCp80sPtEh
-et0+SB7wS14hK138NAupTT9lZMmUHxeVbbMQ3c/3VvA0CU3/nnkLCUBe8F3MtbIH
-dLv4uL7FWFPFf3cTesTBam1LhkiuUKIvV9w3nOfaYD4lvtI3zxTGu9zYQQXdp964
-xdY/Jvfz7n/8ZF3e5mtm7K8mp4NAPJZWFv9jS8Qu7iEfG61zBavn2Rc4W4jd9gRr
-GAPCdl05udTDQBNqRjVvhPH2djCIEmyb9o2c7Vf89/hiEhCuUHshJEGCBv+Pkj0=
+MIIFCzCCAvOgAwIBAgIUCpn6WBGVTKUeNehaBCnHK4AgfrUwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKb3FzdGVzdF9DQTAeFw0yMzA4MDgxMDQwMzRaFw0yNDEy
+MjAxMDQwMzRaMBUxEzARBgNVBAMMCm9xc3Rlc3RfQ0EwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCnUS9KCJuwwGbgdsYoVkU7pp/M5gApTHdURaSx1NN+
+0f50155cJvk0FZjJibL5wOawGcsDXQ31ujaXvtZPEWDbW8wUNhM66vLUjY8SuWNW
+AoK2O42EH8jxNBNTethojZxMs+IKijh25Iz8O8nrNXPV1kQAPts9y9XHL8KNAGcS
++6xpRb19dln83veoIGvwkLcde/xmkWtkhDKiaT4TkTTNSVMavP4X8nGlzVkWYxiT
+XjY36G784rPz6bY8G7dyrxDk4awOCktY5Hmw6C1gy6FxVTFezCPqVJMlznO/vu42
+DtzHis9ztT3Yo3j2vroywHNa8F4E6lQVZtMOnqPm+bo65imWCmDMYToWMuA22a4O
+CWYy6riOSKhMh2h1bn+b+/F2PxN4m7rfF9EgNAWjDYoQI75bXpGgFswVYbV3NHwM
+jiwKAt5lW0ZrHELwnXDg3YeozvL/aBxtknhhHv4e9cwr91LbDjPZYbiVrtjlIzLk
+O8TqdjdanDPsFTvscMd6CGy6ZPuJta60FcsBazQOVLo6avkZlGvosPstmcM1Cmkb
+uXHprdWjW5eCesf28LXl0zlJzAldcleHva8JFsgv9Qyjhz91n9YPb1pnSb5o9YY8
+WNYqq6vZgQb9uxna99CmZtlbFKueusn0BWyOYldnbW0J/dhWA2J1f/smC80oRNnP
+HQIDAQABo1MwUTAdBgNVHQ4EFgQUQuYEXbkQgyG7YNznz3zXpmDo0sowHwYDVR0j
+BBgwFoAUQuYEXbkQgyG7YNznz3zXpmDo0sowDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEADkGyktZjsMQcRguJAV6ZS9et35rzRaBUmMqZ4rRnTGqA
+q/z6gKArC6n2zm0w9DHbBpVrLKqCmC/F1Pyhmm975Y8mPiQl1BzO86ShsMhBtFLZ
+YBmikWicZtt2bznLSCwyMB6WoaG4OrCgigqFkiPHX18SwblgRaI+6J4BxrKqEMRz
+Qjo4BzpqBxepDGwe4xJVFA/KoO9QENSj35h+15RHNC33nMPmE068R4jwVFSvKmJe
+9qVJjbMQqBtsbVW/1jcgYKUIlg2IPMzplbvrZzWX3EZ7vOZx6g3nI9gDEx2g2WKN
+t4fDXpzsNpdqFOdol9eRzUpHbkg1N9SRZLB1HGZ3+5xgQq0o0alHdEp5I/du0ESE
+SQASXOdZgrxjIErm3xq/cVms0JBhia1tYAJnW9CjM9I0YdG/zwH6BK/m5RWQzkNV
+N6n5lsgHrtWjlcUPMgd8OGTR7F1HQW5q8LDMDhI6ebuiRoMc7BJD0OsZKrohpCLz
+MgXtU+muFVWaRd6q+8KcX6NilSrG88+SMnTJCEyillQ578X3MlkJMSx/XHwDAS14
+JK8yIcMmTLVxpc4RAMR7milNrCVBZHxLwhgTWvxf5BXw1Fiif4iyemBdS6W/m4h2
+QiwOZdgXDK7NYwekF9H+vl4EGTYA6AiccaTuNiTVWS9hivRcucNZ92MJaomdypc=
 -----END CERTIFICATE-----