remove zeroize dependency

this is not so much a problem as a possible source of false security for
the readers. all secret keys we handle are serialized in some form, and
those serialization buffers are *not* zeroed out after use. zeroing our
raw buffers doesn't help much in that case, using a zero-on-free
allocator would be much more helpful.

3 files changed, 1 insertions, 10 deletions

diff --git a/Cargo.lock b/Cargo.lock
index 7936ce1..8b2788b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1472,7 +1472,6 @@ dependencies = [
  "url",
  "validator",
  "web-push",
- "zeroize",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index da84734..4025383 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -31,7 +31,6 @@ subtle = "2.4.1"
 url = "2.2.2"
 validator = { version = "0.15", features = [ "derive" ] }
 web-push = "0.9.2"
-zeroize = { version = "1.4.3", features = [ "zeroize_derive" ] }
 
 [dev-dependencies]
 hex-literal = "0.3.4"
diff --git a/src/crypto.rs b/src/crypto.rs
index 049f6b0..c3417fd 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -17,16 +17,10 @@ use sha2::Sha256;
 
 const NAMESPACE: &[u8] = b"identity.mozilla.com/picl/v1/";
 
-#[derive(Clone, PartialEq, Eq, Zeroize, Serialize, Deserialize)]
+#[derive(Clone, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(try_from = "String", into = "String")]
 pub struct SecretBytes<const N: usize>(pub [u8; N]);
 
-impl<const N: usize> Drop for SecretBytes<N> {
-    fn drop(&mut self) {
-        self.zeroize();
-    }
-}
-
 #[derive(Clone, PartialEq, Eq)]
 pub struct TokenID(pub [u8; 32]);
 
@@ -123,7 +117,6 @@ mod from_hkdf {
 }
 
 use from_hkdf::from_hkdf;
-use zeroize::Zeroize;
 
 impl<const N: usize> SecretBytes<N> {
     pub fn generate() -> Self {