From 79160ae543f31e521d59d1de2c3f90afaf2d72c3 Mon Sep 17 00:00:00 2001
From: Arthur Gautier <arthur.gautier@arista.com>
Date: Fri, 14 Feb 2025 14:35:25 -0800
Subject: [PATCH] bump `rand_core` from `0.6.4` to `0.9.0`

---
 Cargo.lock                     | 116 ++++++++++++++++++++++++---------
 Cargo.toml                     |  28 +++++---
 src/algorithms/generate.rs     |   6 +-
 src/algorithms/oaep.rs         |   8 +--
 src/algorithms/pkcs1v15.rs     |   6 +-
 src/algorithms/rsa.rs          |   8 +--
 src/dummy_rng.rs               |   4 --
 src/key.rs                     |  12 ++--
 src/lib.rs                     |   1 +
 src/oaep.rs                    |  14 ++--
 src/oaep/decrypting_key.rs     |   4 +-
 src/oaep/encrypting_key.rs     |   8 +--
 src/pkcs1v15.rs                |  14 ++--
 src/pkcs1v15/decrypting_key.rs |   4 +-
 src/pkcs1v15/encrypting_key.rs |   8 +--
 src/pkcs1v15/signing_key.rs    |  40 +++++++-----
 src/pss.rs                     |  12 ++--
 src/pss/blinded_signing_key.rs |  56 ++++++++++------
 src/pss/signing_key.rs         |  50 ++++++++------
 src/traits/encryption.rs       |  10 +--
 src/traits/padding.rs          |   8 +--
 src/unwrap_rng.rs              |  28 ++++++++
 22 files changed, 283 insertions(+), 162 deletions(-)
 create mode 100644 src/unwrap_rng.rs

diff --git a/Cargo.lock b/Cargo.lock
index 81d2f1c0..cd7e3fdb 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -141,12 +141,11 @@ dependencies = [
 
 [[package]]
 name = "crypto-bigint"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4919aa33c410cb537c1b2a8458a896f9e47ed4349a2002e5b240f358f7bf6ffc"
+version = "0.7.0-pre"
+source = "git+https://github.com/RustCrypto/crypto-bigint.git#534c2940b1f0aa9ec8ada964ce654cc0e6e1e7bb"
 dependencies = [
  "num-traits",
- "rand_core",
+ "rand_core 0.9.0",
  "serdect",
  "subtle",
  "zeroize",
@@ -160,17 +159,16 @@ checksum = "b0b8ce8218c97789f16356e7896b3714f26c2ee1079b79c0b7ae7064bb9089fa"
 dependencies = [
  "getrandom 0.2.15",
  "hybrid-array",
- "rand_core",
+ "rand_core 0.6.4",
 ]
 
 [[package]]
 name = "crypto-primes"
 version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d8cafc054d42839b05a3d87df450ca9c5437c06aa68b3ef70d4e7e98b9346961"
+source = "git+https://github.com/baloo/crypto-primes.git?branch=baloo%2Frand_core-0.9#6b8d95e797c84d564de6760ff4b54c4e55a6a6b5"
 dependencies = [
  "crypto-bigint",
- "rand_core",
+ "rand_core 0.9.0",
 ]
 
 [[package]]
@@ -396,15 +394,14 @@ dependencies = [
 [[package]]
 name = "pkcs5"
 version = "0.8.0-rc.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8f82982d2266bdb473aad8f0f5deb02405ada818775769f3c71f12e349d1212"
+source = "git+https://github.com/baloo/formats.git?branch=baloo%2Fpkcs%2Frand-core-0.9#a178416235d764b580507f30cc92c50fae0287c3"
 dependencies = [
  "aes",
  "aes-gcm",
  "cbc",
  "der",
  "pbkdf2",
- "rand_core",
+ "rand_core 0.9.0",
  "scrypt",
  "sha2",
  "spki",
@@ -413,12 +410,11 @@ dependencies = [
 [[package]]
 name = "pkcs8"
 version = "0.11.0-rc.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eacd2c7141f32aef1cfd1ad0defb5287a3d94592d7ab57c1ae20e3f9f1f0db1f"
+source = "git+https://github.com/baloo/formats.git?branch=baloo%2Fpkcs%2Frand-core-0.9#a178416235d764b580507f30cc92c50fae0287c3"
 dependencies = [
  "der",
  "pkcs5",
- "rand_core",
+ "rand_core 0.9.0",
  "spki",
 ]
 
@@ -440,7 +436,7 @@ version = "0.2.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04"
 dependencies = [
- "zerocopy",
+ "zerocopy 0.7.35",
 ]
 
 [[package]]
@@ -463,9 +459,9 @@ dependencies = [
  "bitflags",
  "lazy_static",
  "num-traits",
- "rand",
- "rand_chacha",
- "rand_xorshift",
+ "rand 0.8.5",
+ "rand_chacha 0.3.1",
+ "rand_xorshift 0.3.0",
  "regex-syntax",
  "rusty-fork",
  "tempfile",
@@ -494,8 +490,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
 dependencies = [
  "libc",
- "rand_chacha",
- "rand_core",
+ "rand_chacha 0.3.1",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3779b94aeb87e8bd4e834cee3650289ee9e0d5677f976ecdb6d219e5f4f6cd94"
+dependencies = [
+ "rand_chacha 0.9.0",
+ "rand_core 0.9.0",
+ "zerocopy 0.8.17",
 ]
 
 [[package]]
@@ -505,7 +512,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
 dependencies = [
  "ppv-lite86",
- "rand_core",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.9.0",
 ]
 
 [[package]]
@@ -517,13 +534,32 @@ dependencies = [
  "getrandom 0.2.15",
 ]
 
+[[package]]
+name = "rand_core"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b08f3c9802962f7e1b25113931d94f43ed9725bebc59db9d0c3e9a23b67e15ff"
+dependencies = [
+ "getrandom 0.3.1",
+ "zerocopy 0.8.17",
+]
+
 [[package]]
 name = "rand_xorshift"
 version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d25bf25ec5ae4a3f1b92f929810509a2f53d7dca2f50b794ff57e3face536c8f"
 dependencies = [
- "rand_core",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_xorshift"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "513962919efc330f829edb2535844d1b912b0fbe2ca165d613e4e8788bb05a5a"
+dependencies = [
+ "rand_core 0.9.0",
 ]
 
 [[package]]
@@ -546,10 +582,10 @@ dependencies = [
  "pkcs1",
  "pkcs8",
  "proptest",
- "rand",
- "rand_chacha",
- "rand_core",
- "rand_xorshift",
+ "rand 0.9.0",
+ "rand_chacha 0.9.0",
+ "rand_core 0.9.0",
+ "rand_xorshift 0.4.0",
  "serde",
  "serde_json",
  "serde_test",
@@ -700,12 +736,12 @@ dependencies = [
 
 [[package]]
 name = "signature"
-version = "2.3.0-pre.4"
+version = "2.3.0-pre.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "054d71959c7051b9042c26af337f05cc930575ed2604d7d3ced3158383e59734"
+checksum = "7c2709fb57c97dd1496b041ae261a6b92def6e6f97d206898b4726e6bdf4ec8f"
 dependencies = [
  "digest",
- "rand_core",
+ "rand_core 0.9.0",
 ]
 
 [[package]]
@@ -890,7 +926,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
 dependencies = [
  "byteorder",
- "zerocopy-derive",
+ "zerocopy-derive 0.7.35",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.8.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aa91407dacce3a68c56de03abe2760159582b846c6a4acd2f456618087f12713"
+dependencies = [
+ "zerocopy-derive 0.8.17",
 ]
 
 [[package]]
@@ -904,6 +949,17 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06718a168365cad3d5ff0bb133aad346959a2074bd4a85c121255a11304a8626"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "zeroize"
 version = "1.8.1"
diff --git a/Cargo.toml b/Cargo.toml
index 009b4c60..3008deec 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -13,16 +13,16 @@ readme = "README.md"
 rust-version = "1.83"
 
 [dependencies]
-rand_core = { version = "0.6.4", default-features = false }
+rand_core = { version = "0.9.0", default-features = false }
 const-oid = { version = "0.10.0-rc.3", default-features = false }
 subtle = { version = "2.6.1", default-features = false }
 digest = { version = "=0.11.0-pre.9", default-features = false, features = ["alloc", "oid"] }
 pkcs1 = { version = "0.8.0-rc.1", default-features = false, features = ["alloc", "pkcs8"] }
 pkcs8 = { version = "0.11.0-rc.1", default-features = false, features = ["alloc"] }
-signature = { version = "=2.3.0-pre.4", default-features = false, features = ["alloc", "digest", "rand_core"] }
+signature = { version = "=2.3.0-pre.5", default-features = false, features = ["alloc", "digest", "rand_core"] }
 spki = { version = "0.8.0-rc.1", default-features = false, features = ["alloc"] }
 zeroize = { version = "1.5", features = ["alloc"] }
-crypto-bigint = { version = "0.6.0", default-features = false, features = ["zeroize", "alloc"] }
+crypto-bigint = { version = "0.7.0-pre", default-features = false, features = ["zeroize", "alloc"] }
 crypto-primes = { version = "0.6.0", default-features = false }
 
 # optional dependencies
@@ -37,10 +37,10 @@ base64ct = { version = "1", features = ["alloc"] }
 hex-literal = "0.4.1"
 proptest = "1"
 serde_test = "1.0.89"
-rand_xorshift = "0.3"
-rand_chacha = "0.3"
-rand = "0.8"
-rand_core = { version = "0.6", default-features = false }
+rand_xorshift = "0.4"
+rand_chacha = "0.9"
+rand = "0.9"
+rand_core = { version = "0.9.0", default-features = false }
 sha1 = { version = "=0.11.0-pre.4", default-features = false, features = ["oid"] }
 sha2 = { version = "=0.11.0-pre.4", default-features = false, features = ["oid"] }
 sha3 = { version = "=0.11.0-pre.4", default-features = false, features = ["oid"] }
@@ -54,7 +54,7 @@ name = "key"
 [features]
 default = ["std", "pem"]
 hazmat = []
-getrandom = ["rand_core/getrandom", "crypto-bigint/rand_core"]
+getrandom = ["rand_core/os_rng", "crypto-bigint/rand_core"]
 serde = ["dep:serde", "dep:serdect", "crypto-bigint/serde"]
 pem = ["pkcs1/pem", "pkcs8/pem"]
 pkcs5 = ["pkcs8/encryption"]
@@ -70,3 +70,15 @@ opt-level = 2
 
 [profile.bench]
 debug = true
+
+[patch.crates-io]
+# https://github.com/RustCrypto/crypto-bigint/pull/762
+# https://github.com/RustCrypto/crypto-bigint/pull/765
+crypto-bigint = { git = "https://github.com/RustCrypto/crypto-bigint.git" }
+
+# https://github.com/entropyxyz/crypto-primes/pull/74
+crypto-primes = { git = "https://github.com/baloo/crypto-primes.git", branch = "baloo/rand_core-0.9" }
+
+# https://github.com/RustCrypto/formats/pull/1658
+pkcs5 = { git = "https://github.com/baloo/formats.git", branch = "baloo/pkcs/rand-core-0.9" }
+pkcs8 = { git = "https://github.com/baloo/formats.git", branch = "baloo/pkcs/rand-core-0.9" }
diff --git a/src/algorithms/generate.rs b/src/algorithms/generate.rs
index cc2d2935..52887c49 100644
--- a/src/algorithms/generate.rs
+++ b/src/algorithms/generate.rs
@@ -6,7 +6,7 @@ use crypto_primes::{
     hazmat::{SetBits, SmallPrimesSieveFactory},
     is_prime_with_rng, sieve_and_find,
 };
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 
 use crate::{
     algorithms::rsa::{compute_modulus, compute_private_exponent_euler_totient},
@@ -31,7 +31,7 @@ pub struct RsaPrivateKeyComponents {
 ///
 /// [1]: https://patents.google.com/patent/US4405829A/en
 /// [2]: http://www.cacr.math.uwaterloo.ca/techreports/2006/cacr2006-16.pdf
-pub(crate) fn generate_multi_prime_key_with_exp<R: CryptoRngCore>(
+pub(crate) fn generate_multi_prime_key_with_exp<R: CryptoRng>(
     rng: &mut R,
     nprimes: usize,
     bit_size: usize,
@@ -120,7 +120,7 @@ pub(crate) fn generate_multi_prime_key_with_exp<R: CryptoRngCore>(
     })
 }
 
-fn generate_prime_with_rng<R: CryptoRngCore>(rng: &mut R, bit_length: u32) -> BoxedUint {
+fn generate_prime_with_rng<R: CryptoRng>(rng: &mut R, bit_length: u32) -> BoxedUint {
     sieve_and_find(
         rng,
         SmallPrimesSieveFactory::new(bit_length, SetBits::TwoMsb),
diff --git a/src/algorithms/oaep.rs b/src/algorithms/oaep.rs
index b2a5102d..8af99340 100644
--- a/src/algorithms/oaep.rs
+++ b/src/algorithms/oaep.rs
@@ -4,7 +4,7 @@ use alloc::boxed::Box;
 use alloc::vec::Vec;
 
 use digest::{Digest, DynDigest, FixedOutputReset};
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 use zeroize::Zeroizing;
 
@@ -19,7 +19,7 @@ use crate::errors::{Error, Result};
 const MAX_LABEL_LEN: u64 = 1 << 61;
 
 #[inline]
-fn encrypt_internal<R: CryptoRngCore + ?Sized, MGF: FnMut(&mut [u8], &mut [u8])>(
+fn encrypt_internal<R: CryptoRng + ?Sized, MGF: FnMut(&mut [u8], &mut [u8])>(
     rng: &mut R,
     msg: &[u8],
     p_hash: &[u8],
@@ -57,7 +57,7 @@ fn encrypt_internal<R: CryptoRngCore + ?Sized, MGF: FnMut(&mut [u8], &mut [u8])>
 ///
 /// [PKCS#1 OAEP]: https://datatracker.ietf.org/doc/html/rfc8017#section-7.1
 #[inline]
-pub(crate) fn oaep_encrypt<R: CryptoRngCore + ?Sized>(
+pub(crate) fn oaep_encrypt<R: CryptoRng + ?Sized>(
     rng: &mut R,
     msg: &[u8],
     digest: &mut dyn DynDigest,
@@ -90,7 +90,7 @@ pub(crate) fn oaep_encrypt<R: CryptoRngCore + ?Sized>(
 /// [PKCS#1 OAEP]: https://datatracker.ietf.org/doc/html/rfc8017#section-7.1
 #[inline]
 pub(crate) fn oaep_encrypt_digest<
-    R: CryptoRngCore + ?Sized,
+    R: CryptoRng + ?Sized,
     D: Digest,
     MGD: Digest + FixedOutputReset,
 >(
diff --git a/src/algorithms/pkcs1v15.rs b/src/algorithms/pkcs1v15.rs
index e813de11..fb78ac7f 100644
--- a/src/algorithms/pkcs1v15.rs
+++ b/src/algorithms/pkcs1v15.rs
@@ -9,7 +9,7 @@
 use alloc::vec::Vec;
 use digest::Digest;
 use pkcs8::AssociatedOid;
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq};
 use zeroize::Zeroizing;
 
@@ -18,7 +18,7 @@ use crate::errors::{Error, Result};
 /// Fills the provided slice with random values, which are guaranteed
 /// to not be zero.
 #[inline]
-fn non_zero_random_bytes<R: CryptoRngCore + ?Sized>(rng: &mut R, data: &mut [u8]) {
+fn non_zero_random_bytes<R: CryptoRng + ?Sized>(rng: &mut R, data: &mut [u8]) {
     rng.fill_bytes(data);
 
     for el in data {
@@ -39,7 +39,7 @@ pub(crate) fn pkcs1v15_encrypt_pad<R>(
     k: usize,
 ) -> Result<Zeroizing<Vec<u8>>>
 where
-    R: CryptoRngCore + ?Sized,
+    R: CryptoRng + ?Sized,
 {
     if msg.len() + 11 > k {
         return Err(Error::MessageTooLong);
diff --git a/src/algorithms/rsa.rs b/src/algorithms/rsa.rs
index 1dca90c1..d251efa1 100644
--- a/src/algorithms/rsa.rs
+++ b/src/algorithms/rsa.rs
@@ -4,7 +4,7 @@ use core::cmp::Ordering;
 
 use crypto_bigint::modular::{BoxedMontyForm, BoxedMontyParams};
 use crypto_bigint::{BoxedUint, Gcd, NonZero, Odd, RandomMod, Wrapping};
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 use zeroize::Zeroize;
 
 use crate::errors::{Error, Result};
@@ -31,7 +31,7 @@ pub fn rsa_encrypt<K: PublicKeyParts>(key: &K, m: &BoxedUint) -> Result<BoxedUin
 /// Use this function with great care! Raw RSA should never be used without an appropriate padding
 /// or signature scheme. See the [module-level documentation][crate::hazmat] for more information.
 #[inline]
-pub fn rsa_decrypt<R: CryptoRngCore + ?Sized>(
+pub fn rsa_decrypt<R: CryptoRng + ?Sized>(
     mut rng: Option<&mut R>,
     priv_key: &impl PrivateKeyParts,
     c: &BoxedUint,
@@ -123,7 +123,7 @@ pub fn rsa_decrypt<R: CryptoRngCore + ?Sized>(
 /// Use this function with great care! Raw RSA should never be used without an appropriate padding
 /// or signature scheme. See the [module-level documentation][crate::hazmat] for more information.
 #[inline]
-pub fn rsa_decrypt_and_check<R: CryptoRngCore + ?Sized>(
+pub fn rsa_decrypt_and_check<R: CryptoRng + ?Sized>(
     priv_key: &impl PrivateKeyParts,
     rng: Option<&mut R>,
     c: &BoxedUint,
@@ -142,7 +142,7 @@ pub fn rsa_decrypt_and_check<R: CryptoRngCore + ?Sized>(
 }
 
 /// Returns the blinded c, along with the unblinding factor.
-fn blind<R: CryptoRngCore, K: PublicKeyParts>(
+fn blind<R: CryptoRng, K: PublicKeyParts>(
     rng: &mut R,
     key: &K,
     c: &BoxedUint,
diff --git a/src/dummy_rng.rs b/src/dummy_rng.rs
index 87beaa94..8d8a703c 100644
--- a/src/dummy_rng.rs
+++ b/src/dummy_rng.rs
@@ -17,10 +17,6 @@ impl RngCore for DummyRng {
     fn fill_bytes(&mut self, _: &mut [u8]) {
         unimplemented!();
     }
-
-    fn try_fill_bytes(&mut self, _: &mut [u8]) -> core::result::Result<(), rand_core::Error> {
-        unimplemented!();
-    }
 }
 
 impl CryptoRng for DummyRng {}
diff --git a/src/key.rs b/src/key.rs
index 790fe4a5..d7947960 100644
--- a/src/key.rs
+++ b/src/key.rs
@@ -2,7 +2,7 @@ use alloc::vec::Vec;
 use core::hash::{Hash, Hasher};
 use crypto_bigint::modular::{BoxedMontyForm, BoxedMontyParams};
 use crypto_bigint::{BoxedUint, Integer, NonZero, Odd};
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 use zeroize::{Zeroize, ZeroizeOnDrop};
 #[cfg(feature = "serde")]
 use {
@@ -169,7 +169,7 @@ impl PublicKeyParts for RsaPublicKey {
 
 impl RsaPublicKey {
     /// Encrypt the given message.
-    pub fn encrypt<R: CryptoRngCore, P: PaddingScheme>(
+    pub fn encrypt<R: CryptoRng, P: PaddingScheme>(
         &self,
         rng: &mut R,
         padding: P,
@@ -254,7 +254,7 @@ impl RsaPrivateKey {
     const EXP: u64 = 65537;
 
     /// Generate a new Rsa key pair of the given bit size using the passed in `rng`.
-    pub fn new<R: CryptoRngCore>(rng: &mut R, bit_size: usize) -> Result<RsaPrivateKey> {
+    pub fn new<R: CryptoRng>(rng: &mut R, bit_size: usize) -> Result<RsaPrivateKey> {
         Self::new_with_exp(rng, bit_size, BoxedUint::from(Self::EXP))
     }
 
@@ -262,7 +262,7 @@ impl RsaPrivateKey {
     /// using the passed in `rng`.
     ///
     /// Unless you have specific needs, you should use `RsaPrivateKey::new` instead.
-    pub fn new_with_exp<R: CryptoRngCore>(
+    pub fn new_with_exp<R: CryptoRng>(
         rng: &mut R,
         bit_size: usize,
         exp: BoxedUint,
@@ -493,7 +493,7 @@ impl RsaPrivateKey {
     /// Decrypt the given message.
     ///
     /// Uses `rng` to blind the decryption process.
-    pub fn decrypt_blinded<R: CryptoRngCore, P: PaddingScheme>(
+    pub fn decrypt_blinded<R: CryptoRng, P: PaddingScheme>(
         &self,
         rng: &mut R,
         padding: P,
@@ -517,7 +517,7 @@ impl RsaPrivateKey {
     ///   [`Pss::new`][`crate::Pss::new`] for a standard RSASSA-PSS signature, or
     ///   [`Pss::new_blinded`][`crate::Pss::new_blinded`] for RSA-BSSA blind
     ///   signatures.
-    pub fn sign_with_rng<R: CryptoRngCore, S: SignatureScheme>(
+    pub fn sign_with_rng<R: CryptoRng, S: SignatureScheme>(
         &self,
         rng: &mut R,
         padding: S,
diff --git a/src/lib.rs b/src/lib.rs
index f78b9eb7..ce05fafb 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -237,6 +237,7 @@ pub mod traits;
 mod dummy_rng;
 mod encoding;
 mod key;
+mod unwrap_rng;
 
 pub use pkcs1;
 pub use pkcs8;
diff --git a/src/oaep.rs b/src/oaep.rs
index 13ac8d7b..88fba589 100644
--- a/src/oaep.rs
+++ b/src/oaep.rs
@@ -15,7 +15,7 @@ use core::fmt;
 use crypto_bigint::BoxedUint;
 
 use digest::{Digest, DynDigest, FixedOutputReset};
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 
 use crate::algorithms::oaep::*;
 use crate::algorithms::pad::{uint_to_be_pad, uint_to_zeroizing_be_pad};
@@ -135,7 +135,7 @@ impl Oaep {
 }
 
 impl PaddingScheme for Oaep {
-    fn decrypt<Rng: CryptoRngCore>(
+    fn decrypt<Rng: CryptoRng>(
         mut self,
         rng: Option<&mut Rng>,
         priv_key: &RsaPrivateKey,
@@ -151,7 +151,7 @@ impl PaddingScheme for Oaep {
         )
     }
 
-    fn encrypt<Rng: CryptoRngCore>(
+    fn encrypt<Rng: CryptoRng>(
         mut self,
         rng: &mut Rng,
         pub_key: &RsaPublicKey,
@@ -186,7 +186,7 @@ impl fmt::Debug for Oaep {
 ///
 /// [PKCS#1 OAEP]: https://datatracker.ietf.org/doc/html/rfc8017#section-7.1
 #[inline]
-fn encrypt<R: CryptoRngCore + ?Sized>(
+fn encrypt<R: CryptoRng + ?Sized>(
     rng: &mut R,
     pub_key: &RsaPublicKey,
     msg: &[u8],
@@ -209,7 +209,7 @@ fn encrypt<R: CryptoRngCore + ?Sized>(
 /// `2 + (2 * hash.size())`.
 ///
 /// [PKCS#1 OAEP]: https://datatracker.ietf.org/doc/html/rfc8017#section-7.1
-fn encrypt_digest<R: CryptoRngCore + ?Sized, D: Digest, MGD: Digest + FixedOutputReset>(
+fn encrypt_digest<R: CryptoRng + ?Sized, D: Digest, MGD: Digest + FixedOutputReset>(
     rng: &mut R,
     pub_key: &RsaPublicKey,
     msg: &[u8],
@@ -236,7 +236,7 @@ fn encrypt_digest<R: CryptoRngCore + ?Sized, D: Digest, MGD: Digest + FixedOutpu
 ///
 /// [PKCS#1 OAEP]: https://datatracker.ietf.org/doc/html/rfc8017#section-7.1
 #[inline]
-fn decrypt<R: CryptoRngCore + ?Sized>(
+fn decrypt<R: CryptoRng + ?Sized>(
     rng: Option<&mut R>,
     priv_key: &RsaPrivateKey,
     ciphertext: &[u8],
@@ -269,7 +269,7 @@ fn decrypt<R: CryptoRngCore + ?Sized>(
 ///
 /// [PKCS#1 OAEP]: https://datatracker.ietf.org/doc/html/rfc8017#section-7.1
 #[inline]
-fn decrypt_digest<R: CryptoRngCore + ?Sized, D: Digest, MGD: Digest + FixedOutputReset>(
+fn decrypt_digest<R: CryptoRng + ?Sized, D: Digest, MGD: Digest + FixedOutputReset>(
     rng: Option<&mut R>,
     priv_key: &RsaPrivateKey,
     ciphertext: &[u8],
diff --git a/src/oaep/decrypting_key.rs b/src/oaep/decrypting_key.rs
index 459ff424..1e5bd3bf 100644
--- a/src/oaep/decrypting_key.rs
+++ b/src/oaep/decrypting_key.rs
@@ -7,7 +7,7 @@ use crate::{
 use alloc::{boxed::Box, vec::Vec};
 use core::marker::PhantomData;
 use digest::{Digest, FixedOutputReset};
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 #[cfg(feature = "serde")]
 use serde::{Deserialize, Serialize};
 use zeroize::ZeroizeOnDrop;
@@ -69,7 +69,7 @@ where
     D: Digest,
     MGD: Digest + FixedOutputReset,
 {
-    fn decrypt_with_rng<R: CryptoRngCore + ?Sized>(
+    fn decrypt_with_rng<R: CryptoRng + ?Sized>(
         &self,
         rng: &mut R,
         ciphertext: &[u8],
diff --git a/src/oaep/encrypting_key.rs b/src/oaep/encrypting_key.rs
index 717d0acf..7c8e3ddc 100644
--- a/src/oaep/encrypting_key.rs
+++ b/src/oaep/encrypting_key.rs
@@ -3,7 +3,7 @@ use crate::{traits::RandomizedEncryptor, Result, RsaPublicKey};
 use alloc::{boxed::Box, vec::Vec};
 use core::marker::PhantomData;
 use digest::{Digest, FixedOutputReset};
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 #[cfg(feature = "serde")]
 use serde::{Deserialize, Serialize};
 
@@ -54,11 +54,7 @@ where
     D: Digest,
     MGD: Digest + FixedOutputReset,
 {
-    fn encrypt_with_rng<R: CryptoRngCore + ?Sized>(
-        &self,
-        rng: &mut R,
-        msg: &[u8],
-    ) -> Result<Vec<u8>> {
+    fn encrypt_with_rng<R: CryptoRng + ?Sized>(&self, rng: &mut R, msg: &[u8]) -> Result<Vec<u8>> {
         encrypt_digest::<_, D, MGD>(rng, &self.inner, msg, self.label.clone())
     }
 }
diff --git a/src/pkcs1v15.rs b/src/pkcs1v15.rs
index 638ff895..23022e19 100644
--- a/src/pkcs1v15.rs
+++ b/src/pkcs1v15.rs
@@ -22,7 +22,7 @@ use core::fmt::Debug;
 use crypto_bigint::BoxedUint;
 use digest::Digest;
 use pkcs8::AssociatedOid;
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 
 use crate::algorithms::pad::{uint_to_be_pad, uint_to_zeroizing_be_pad};
 use crate::algorithms::pkcs1v15::*;
@@ -36,7 +36,7 @@ use crate::traits::{PaddingScheme, PublicKeyParts, SignatureScheme};
 pub struct Pkcs1v15Encrypt;
 
 impl PaddingScheme for Pkcs1v15Encrypt {
-    fn decrypt<Rng: CryptoRngCore>(
+    fn decrypt<Rng: CryptoRng>(
         self,
         rng: Option<&mut Rng>,
         priv_key: &RsaPrivateKey,
@@ -45,7 +45,7 @@ impl PaddingScheme for Pkcs1v15Encrypt {
         decrypt(rng, priv_key, ciphertext)
     }
 
-    fn encrypt<Rng: CryptoRngCore>(
+    fn encrypt<Rng: CryptoRng>(
         self,
         rng: &mut Rng,
         pub_key: &RsaPublicKey,
@@ -100,7 +100,7 @@ impl Pkcs1v15Sign {
 }
 
 impl SignatureScheme for Pkcs1v15Sign {
-    fn sign<Rng: CryptoRngCore>(
+    fn sign<Rng: CryptoRng>(
         self,
         rng: Option<&mut Rng>,
         priv_key: &RsaPrivateKey,
@@ -135,7 +135,7 @@ impl SignatureScheme for Pkcs1v15Sign {
 /// scheme from PKCS#1 v1.5.  The message must be no longer than the
 /// length of the public modulus minus 11 bytes.
 #[inline]
-fn encrypt<R: CryptoRngCore + ?Sized>(
+fn encrypt<R: CryptoRng + ?Sized>(
     rng: &mut R,
     pub_key: &RsaPublicKey,
     msg: &[u8],
@@ -157,7 +157,7 @@ fn encrypt<R: CryptoRngCore + ?Sized>(
 /// forge signatures as if they had the private key. See
 /// `decrypt_session_key` for a way of solving this problem.
 #[inline]
-fn decrypt<R: CryptoRngCore + ?Sized>(
+fn decrypt<R: CryptoRng + ?Sized>(
     rng: Option<&mut R>,
     priv_key: &RsaPrivateKey,
     ciphertext: &[u8],
@@ -185,7 +185,7 @@ fn decrypt<R: CryptoRngCore + ?Sized>(
 /// messages to signatures and identify the signed messages. As ever,
 /// signatures provide authenticity, not confidentiality.
 #[inline]
-fn sign<R: CryptoRngCore + ?Sized>(
+fn sign<R: CryptoRng + ?Sized>(
     rng: Option<&mut R>,
     priv_key: &RsaPrivateKey,
     prefix: &[u8],
diff --git a/src/pkcs1v15/decrypting_key.rs b/src/pkcs1v15/decrypting_key.rs
index 02af68b5..438683f3 100644
--- a/src/pkcs1v15/decrypting_key.rs
+++ b/src/pkcs1v15/decrypting_key.rs
@@ -5,7 +5,7 @@ use crate::{
     Result, RsaPrivateKey,
 };
 use alloc::vec::Vec;
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 #[cfg(feature = "serde")]
 use serde::{Deserialize, Serialize};
 use zeroize::ZeroizeOnDrop;
@@ -33,7 +33,7 @@ impl Decryptor for DecryptingKey {
 }
 
 impl RandomizedDecryptor for DecryptingKey {
-    fn decrypt_with_rng<R: CryptoRngCore + ?Sized>(
+    fn decrypt_with_rng<R: CryptoRng + ?Sized>(
         &self,
         rng: &mut R,
         ciphertext: &[u8],
diff --git a/src/pkcs1v15/encrypting_key.rs b/src/pkcs1v15/encrypting_key.rs
index 3738a78a..534869c9 100644
--- a/src/pkcs1v15/encrypting_key.rs
+++ b/src/pkcs1v15/encrypting_key.rs
@@ -1,7 +1,7 @@
 use super::encrypt;
 use crate::{traits::RandomizedEncryptor, Result, RsaPublicKey};
 use alloc::vec::Vec;
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 #[cfg(feature = "serde")]
 use serde::{Deserialize, Serialize};
 
@@ -22,11 +22,7 @@ impl EncryptingKey {
 }
 
 impl RandomizedEncryptor for EncryptingKey {
-    fn encrypt_with_rng<R: CryptoRngCore + ?Sized>(
-        &self,
-        rng: &mut R,
-        msg: &[u8],
-    ) -> Result<Vec<u8>> {
+    fn encrypt_with_rng<R: CryptoRng + ?Sized>(&self, rng: &mut R, msg: &[u8]) -> Result<Vec<u8>> {
         encrypt(rng, &self.inner, msg)
     }
 }
diff --git a/src/pkcs1v15/signing_key.rs b/src/pkcs1v15/signing_key.rs
index 29c4e8a8..8320cb98 100644
--- a/src/pkcs1v15/signing_key.rs
+++ b/src/pkcs1v15/signing_key.rs
@@ -1,5 +1,5 @@
 use super::{oid, pkcs1v15_generate_prefix, sign, Signature, VerifyingKey};
-use crate::{dummy_rng::DummyRng, Result, RsaPrivateKey};
+use crate::{dummy_rng::DummyRng, unwrap_rng::UnwrapRng, Result, RsaPrivateKey};
 use alloc::vec::Vec;
 use core::marker::PhantomData;
 use digest::Digest;
@@ -10,7 +10,7 @@ use pkcs8::{
     },
     AssociatedOid, EncodePrivateKey, SecretDocument,
 };
-use rand_core::CryptoRngCore;
+use rand_core::{CryptoRng, TryCryptoRng};
 #[cfg(feature = "serde")]
 use {
     pkcs8::DecodePrivateKey,
@@ -49,7 +49,7 @@ where
     }
 
     /// Generate a new signing key with a prefix for the digest `D`.
-    pub fn random<R: CryptoRngCore>(rng: &mut R, bit_size: usize) -> Result<Self> {
+    pub fn random<R: CryptoRng>(rng: &mut R, bit_size: usize) -> Result<Self> {
         Ok(Self {
             inner: RsaPrivateKey::new(rng, bit_size)?,
             prefix: pkcs1v15_generate_prefix::<D>(),
@@ -65,7 +65,7 @@ where
 
     /// Generate a new signing key with a prefix for the digest `D`.
     #[deprecated(since = "0.9.0", note = "use SigningKey::random instead")]
-    pub fn random_with_prefix<R: CryptoRngCore>(rng: &mut R, bit_size: usize) -> Result<Self> {
+    pub fn random_with_prefix<R: CryptoRng>(rng: &mut R, bit_size: usize) -> Result<Self> {
         Self::random(rng, bit_size)
     }
 }
@@ -88,7 +88,7 @@ where
     }
 
     /// Generate a new signing key with an empty prefix.
-    pub fn random_unprefixed<R: CryptoRngCore>(rng: &mut R, bit_size: usize) -> Result<Self> {
+    pub fn random_unprefixed<R: CryptoRng>(rng: &mut R, bit_size: usize) -> Result<Self> {
         Ok(Self {
             inner: RsaPrivateKey::new(rng, bit_size)?,
             prefix: Vec::new(),
@@ -127,14 +127,19 @@ impl<D> RandomizedDigestSigner<D, Signature> for SigningKey<D>
 where
     D: Digest,
 {
-    fn try_sign_digest_with_rng(
+    fn try_sign_digest_with_rng<R: TryCryptoRng>(
         &self,
-        rng: &mut impl CryptoRngCore,
+        rng: &mut R,
         digest: D,
     ) -> signature::Result<Signature> {
-        sign(Some(rng), &self.inner, &self.prefix, &digest.finalize())?
-            .as_slice()
-            .try_into()
+        sign(
+            Some(&mut UnwrapRng(rng)),
+            &self.inner,
+            &self.prefix,
+            &digest.finalize(),
+        )?
+        .as_slice()
+        .try_into()
     }
 }
 
@@ -142,14 +147,19 @@ impl<D> RandomizedSigner<Signature> for SigningKey<D>
 where
     D: Digest,
 {
-    fn try_sign_with_rng(
+    fn try_sign_with_rng<R: TryCryptoRng>(
         &self,
-        rng: &mut impl CryptoRngCore,
+        rng: &mut R,
         msg: &[u8],
     ) -> signature::Result<Signature> {
-        sign(Some(rng), &self.inner, &self.prefix, &D::digest(msg))?
-            .as_slice()
-            .try_into()
+        sign(
+            Some(&mut UnwrapRng(rng)),
+            &self.inner,
+            &self.prefix,
+            &D::digest(msg),
+        )?
+        .as_slice()
+        .try_into()
     }
 }
 
diff --git a/src/pss.rs b/src/pss.rs
index 22351a6c..6cbf867a 100644
--- a/src/pss.rs
+++ b/src/pss.rs
@@ -27,7 +27,7 @@ use const_oid::AssociatedOid;
 use digest::{Digest, DynDigest, FixedOutputReset};
 use pkcs1::RsaPssParams;
 use pkcs8::spki::{der::Any, AlgorithmIdentifierOwned};
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 
 use crate::algorithms::pad::{uint_to_be_pad, uint_to_zeroizing_be_pad};
 use crate::algorithms::pss::*;
@@ -86,7 +86,7 @@ impl Pss {
 }
 
 impl SignatureScheme for Pss {
-    fn sign<Rng: CryptoRngCore>(
+    fn sign<Rng: CryptoRng>(
         mut self,
         rng: Option<&mut Rng>,
         priv_key: &RsaPrivateKey,
@@ -165,7 +165,7 @@ where
 /// Note that hashed must be the result of hashing the input message using the
 /// given hash function. The opts argument may be nil, in which case sensible
 /// defaults are used.
-pub(crate) fn sign<T: CryptoRngCore>(
+pub(crate) fn sign<T: CryptoRng>(
     rng: &mut T,
     blind: bool,
     priv_key: &RsaPrivateKey,
@@ -179,7 +179,7 @@ pub(crate) fn sign<T: CryptoRngCore>(
     sign_pss_with_salt(blind.then_some(rng), priv_key, hashed, &salt, digest)
 }
 
-pub(crate) fn sign_digest<T: CryptoRngCore + ?Sized, D: Digest + FixedOutputReset>(
+pub(crate) fn sign_digest<T: CryptoRng + ?Sized, D: Digest + FixedOutputReset>(
     rng: &mut T,
     blind: bool,
     priv_key: &RsaPrivateKey,
@@ -197,7 +197,7 @@ pub(crate) fn sign_digest<T: CryptoRngCore + ?Sized, D: Digest + FixedOutputRese
 /// Note that hashed must be the result of hashing the input message using the
 /// given hash function. salt is a random sequence of bytes whose length will be
 /// later used to verify the signature.
-fn sign_pss_with_salt<T: CryptoRngCore>(
+fn sign_pss_with_salt<T: CryptoRng>(
     blind_rng: Option<&mut T>,
     priv_key: &RsaPrivateKey,
     hashed: &[u8],
@@ -213,7 +213,7 @@ fn sign_pss_with_salt<T: CryptoRngCore>(
     uint_to_zeroizing_be_pad(raw, priv_key.size())
 }
 
-fn sign_pss_with_salt_digest<T: CryptoRngCore + ?Sized, D: Digest + FixedOutputReset>(
+fn sign_pss_with_salt_digest<T: CryptoRng + ?Sized, D: Digest + FixedOutputReset>(
     blind_rng: Option<&mut T>,
     priv_key: &RsaPrivateKey,
     hashed: &[u8],
diff --git a/src/pss/blinded_signing_key.rs b/src/pss/blinded_signing_key.rs
index 97ca1bf6..529df0d0 100644
--- a/src/pss/blinded_signing_key.rs
+++ b/src/pss/blinded_signing_key.rs
@@ -1,5 +1,5 @@
 use super::{get_pss_signature_algo_id, sign_digest, Signature, VerifyingKey};
-use crate::{Result, RsaPrivateKey};
+use crate::{unwrap_rng::UnwrapRng, Result, RsaPrivateKey};
 use const_oid::AssociatedOid;
 use core::marker::PhantomData;
 use digest::{Digest, FixedOutputReset};
@@ -10,7 +10,7 @@ use pkcs8::{
     },
     EncodePrivateKey, SecretDocument,
 };
-use rand_core::CryptoRngCore;
+use rand_core::{CryptoRng, TryCryptoRng};
 use signature::{
     hazmat::RandomizedPrehashSigner, Keypair, RandomizedDigestSigner, RandomizedSigner,
 };
@@ -56,13 +56,13 @@ where
     /// Create a new random RSASSA-PSS signing key which produces "blinded"
     /// signatures.
     /// Digest output size is used as a salt length.
-    pub fn random<R: CryptoRngCore>(rng: &mut R, bit_size: usize) -> Result<Self> {
+    pub fn random<R: CryptoRng>(rng: &mut R, bit_size: usize) -> Result<Self> {
         Self::random_with_salt_len(rng, bit_size, <D as Digest>::output_size())
     }
 
     /// Create a new random RSASSA-PSS signing key which produces "blinded"
     /// signatures with a salt of the given length.
-    pub fn random_with_salt_len<R: CryptoRngCore>(
+    pub fn random_with_salt_len<R: CryptoRng>(
         rng: &mut R,
         bit_size: usize,
         salt_len: usize,
@@ -88,14 +88,20 @@ impl<D> RandomizedSigner<Signature> for BlindedSigningKey<D>
 where
     D: Digest + FixedOutputReset,
 {
-    fn try_sign_with_rng(
+    fn try_sign_with_rng<R: TryCryptoRng>(
         &self,
-        rng: &mut impl CryptoRngCore,
+        rng: &mut R,
         msg: &[u8],
     ) -> signature::Result<Signature> {
-        sign_digest::<_, D>(rng, true, &self.inner, &D::digest(msg), self.salt_len)?
-            .as_slice()
-            .try_into()
+        sign_digest::<_, D>(
+            &mut UnwrapRng(rng),
+            true,
+            &self.inner,
+            &D::digest(msg),
+            self.salt_len,
+        )?
+        .as_slice()
+        .try_into()
     }
 }
 
@@ -103,14 +109,20 @@ impl<D> RandomizedDigestSigner<D, Signature> for BlindedSigningKey<D>
 where
     D: Digest + FixedOutputReset,
 {
-    fn try_sign_digest_with_rng(
+    fn try_sign_digest_with_rng<R: TryCryptoRng>(
         &self,
-        rng: &mut impl CryptoRngCore,
+        rng: &mut R,
         digest: D,
     ) -> signature::Result<Signature> {
-        sign_digest::<_, D>(rng, true, &self.inner, &digest.finalize(), self.salt_len)?
-            .as_slice()
-            .try_into()
+        sign_digest::<_, D>(
+            &mut UnwrapRng(rng),
+            true,
+            &self.inner,
+            &digest.finalize(),
+            self.salt_len,
+        )?
+        .as_slice()
+        .try_into()
     }
 }
 
@@ -118,14 +130,20 @@ impl<D> RandomizedPrehashSigner<Signature> for BlindedSigningKey<D>
 where
     D: Digest + FixedOutputReset,
 {
-    fn sign_prehash_with_rng(
+    fn sign_prehash_with_rng<R: TryCryptoRng>(
         &self,
-        rng: &mut impl CryptoRngCore,
+        rng: &mut R,
         prehash: &[u8],
     ) -> signature::Result<Signature> {
-        sign_digest::<_, D>(rng, true, &self.inner, prehash, self.salt_len)?
-            .as_slice()
-            .try_into()
+        sign_digest::<_, D>(
+            &mut UnwrapRng(rng),
+            true,
+            &self.inner,
+            prehash,
+            self.salt_len,
+        )?
+        .as_slice()
+        .try_into()
     }
 }
 
diff --git a/src/pss/signing_key.rs b/src/pss/signing_key.rs
index 875ef866..25f254dc 100644
--- a/src/pss/signing_key.rs
+++ b/src/pss/signing_key.rs
@@ -1,6 +1,6 @@
 use super::{get_pss_signature_algo_id, sign_digest, Signature, VerifyingKey};
 use crate::encoding::verify_algorithm_id;
-use crate::{Result, RsaPrivateKey};
+use crate::{unwrap_rng::UnwrapRng, Result, RsaPrivateKey};
 use const_oid::AssociatedOid;
 use core::marker::PhantomData;
 use digest::{Digest, FixedOutputReset};
@@ -11,7 +11,7 @@ use pkcs8::{
     },
     EncodePrivateKey, SecretDocument,
 };
-use rand_core::CryptoRngCore;
+use rand_core::{CryptoRng, TryCryptoRng};
 use signature::{
     hazmat::RandomizedPrehashSigner, Keypair, RandomizedDigestSigner, RandomizedSigner,
 };
@@ -24,7 +24,7 @@ use {
 
 #[cfg(feature = "getrandom")]
 use {
-    rand_core::OsRng,
+    rand_core::{OsRng, UnwrapErr},
     signature::{hazmat::PrehashSigner, Signer},
 };
 
@@ -63,12 +63,12 @@ where
 
     /// Generate a new random RSASSA-PSS signing key.
     /// Digest output size is used as a salt length.
-    pub fn random<R: CryptoRngCore>(rng: &mut R, bit_size: usize) -> Result<Self> {
+    pub fn random<R: CryptoRng>(rng: &mut R, bit_size: usize) -> Result<Self> {
         Self::random_with_salt_len(rng, bit_size, <D as Digest>::output_size())
     }
 
     /// Generate a new random RSASSA-PSS signing key with a salt of the given length.
-    pub fn random_with_salt_len<R: CryptoRngCore>(
+    pub fn random_with_salt_len<R: CryptoRng>(
         rng: &mut R,
         bit_size: usize,
         salt_len: usize,
@@ -94,14 +94,20 @@ impl<D> RandomizedDigestSigner<D, Signature> for SigningKey<D>
 where
     D: Digest + FixedOutputReset,
 {
-    fn try_sign_digest_with_rng(
+    fn try_sign_digest_with_rng<R: TryCryptoRng>(
         &self,
-        rng: &mut impl CryptoRngCore,
+        rng: &mut R,
         digest: D,
     ) -> signature::Result<Signature> {
-        sign_digest::<_, D>(rng, false, &self.inner, &digest.finalize(), self.salt_len)?
-            .as_slice()
-            .try_into()
+        sign_digest::<_, D>(
+            &mut UnwrapRng(rng),
+            false,
+            &self.inner,
+            &digest.finalize(),
+            self.salt_len,
+        )?
+        .as_slice()
+        .try_into()
     }
 }
 
@@ -109,9 +115,9 @@ impl<D> RandomizedSigner<Signature> for SigningKey<D>
 where
     D: Digest + FixedOutputReset,
 {
-    fn try_sign_with_rng(
+    fn try_sign_with_rng<R: TryCryptoRng>(
         &self,
-        rng: &mut impl CryptoRngCore,
+        rng: &mut R,
         msg: &[u8],
     ) -> signature::Result<Signature> {
         self.try_sign_digest_with_rng(rng, D::new_with_prefix(msg))
@@ -122,14 +128,20 @@ impl<D> RandomizedPrehashSigner<Signature> for SigningKey<D>
 where
     D: Digest + FixedOutputReset,
 {
-    fn sign_prehash_with_rng(
+    fn sign_prehash_with_rng<R: TryCryptoRng>(
         &self,
-        rng: &mut impl CryptoRngCore,
+        rng: &mut R,
         prehash: &[u8],
     ) -> signature::Result<Signature> {
-        sign_digest::<_, D>(rng, false, &self.inner, prehash, self.salt_len)?
-            .as_slice()
-            .try_into()
+        sign_digest::<_, D>(
+            &mut UnwrapRng(rng),
+            false,
+            &self.inner,
+            prehash,
+            self.salt_len,
+        )?
+        .as_slice()
+        .try_into()
     }
 }
 
@@ -139,7 +151,7 @@ where
     D: Digest + FixedOutputReset,
 {
     fn sign_prehash(&self, prehash: &[u8]) -> signature::Result<Signature> {
-        self.sign_prehash_with_rng(&mut OsRng, prehash)
+        self.sign_prehash_with_rng(&mut UnwrapErr(OsRng), prehash)
     }
 }
 
@@ -149,7 +161,7 @@ where
     D: Digest + FixedOutputReset,
 {
     fn try_sign(&self, msg: &[u8]) -> signature::Result<Signature> {
-        self.try_sign_with_rng(&mut OsRng, msg)
+        self.try_sign_with_rng(&mut UnwrapErr(OsRng), msg)
     }
 }
 
diff --git a/src/traits/encryption.rs b/src/traits/encryption.rs
index e57caed4..cb605419 100644
--- a/src/traits/encryption.rs
+++ b/src/traits/encryption.rs
@@ -1,18 +1,14 @@
 //! Encryption-related traits.
 
 use alloc::vec::Vec;
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 
 use crate::errors::Result;
 
 /// Encrypt the message using provided random source
 pub trait RandomizedEncryptor {
     /// Encrypt the given message.
-    fn encrypt_with_rng<R: CryptoRngCore + ?Sized>(
-        &self,
-        rng: &mut R,
-        msg: &[u8],
-    ) -> Result<Vec<u8>>;
+    fn encrypt_with_rng<R: CryptoRng + ?Sized>(&self, rng: &mut R, msg: &[u8]) -> Result<Vec<u8>>;
 }
 
 /// Decrypt the given message
@@ -24,7 +20,7 @@ pub trait Decryptor {
 /// Decrypt the given message using provided random source
 pub trait RandomizedDecryptor {
     /// Decrypt the given message.
-    fn decrypt_with_rng<R: CryptoRngCore + ?Sized>(
+    fn decrypt_with_rng<R: CryptoRng + ?Sized>(
         &self,
         rng: &mut R,
         ciphertext: &[u8],
diff --git a/src/traits/padding.rs b/src/traits/padding.rs
index ce198fc3..2ce58418 100644
--- a/src/traits/padding.rs
+++ b/src/traits/padding.rs
@@ -2,7 +2,7 @@
 
 use alloc::vec::Vec;
 
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 
 use crate::errors::Result;
 use crate::key::{RsaPrivateKey, RsaPublicKey};
@@ -13,7 +13,7 @@ pub trait PaddingScheme {
     ///
     /// If an `rng` is passed, it uses RSA blinding to help mitigate timing
     /// side-channel attacks.
-    fn decrypt<Rng: CryptoRngCore>(
+    fn decrypt<Rng: CryptoRng>(
         self,
         rng: Option<&mut Rng>,
         priv_key: &RsaPrivateKey,
@@ -21,7 +21,7 @@ pub trait PaddingScheme {
     ) -> Result<Vec<u8>>;
 
     /// Encrypt the given message using the given public key.
-    fn encrypt<Rng: CryptoRngCore>(
+    fn encrypt<Rng: CryptoRng>(
         self,
         rng: &mut Rng,
         pub_key: &RsaPublicKey,
@@ -32,7 +32,7 @@ pub trait PaddingScheme {
 /// Digital signature scheme.
 pub trait SignatureScheme {
     /// Sign the given digest.
-    fn sign<Rng: CryptoRngCore>(
+    fn sign<Rng: CryptoRng>(
         self,
         rng: Option<&mut Rng>,
         priv_key: &RsaPrivateKey,
diff --git a/src/unwrap_rng.rs b/src/unwrap_rng.rs
new file mode 100644
index 00000000..b63bcfe8
--- /dev/null
+++ b/src/unwrap_rng.rs
@@ -0,0 +1,28 @@
+#![allow(clippy::unwrap_used)]
+use rand_core::{CryptoRng, RngCore, TryCryptoRng, TryRngCore};
+
+/// Wrapper around [`TryRngCore`] implementation which implements [`RngCore`]
+/// by panicking on potential errors.
+///
+/// Similar to [`rand_core::UnwrapErr`] but works with inner references.
+#[derive(Debug, Eq, PartialEq, Hash)]
+pub(crate) struct UnwrapRng<'r, R: TryRngCore>(pub &'r mut R);
+
+impl<R: TryRngCore> RngCore for UnwrapRng<'_, R> {
+    #[inline]
+    fn next_u32(&mut self) -> u32 {
+        self.0.try_next_u32().unwrap()
+    }
+
+    #[inline]
+    fn next_u64(&mut self) -> u64 {
+        self.0.try_next_u64().unwrap()
+    }
+
+    #[inline]
+    fn fill_bytes(&mut self, dst: &mut [u8]) {
+        self.0.try_fill_bytes(dst).unwrap()
+    }
+}
+
+impl<R: TryCryptoRng> CryptoRng for UnwrapRng<'_, R> {}