diff --git a/Cargo.lock b/Cargo.lock
index 81392ca7c..5a0158ecd 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1036,9 +1036,9 @@ checksum = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb"
 
 [[package]]
 name = "der"
-version = "0.6.1"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1a467a65c5e759bce6e65eaf91cc29f466cdc57cb65777bd646872a8a1fd4de"
+checksum = "05e58dffcdcc8ee7b22f0c1f71a69243d7c2d9ad87b5a14361f2424a1565c219"
 dependencies = [
  "const-oid",
  "pem-rfc7468",
@@ -2488,9 +2488,9 @@ dependencies = [
 
 [[package]]
 name = "pem-rfc7468"
-version = "0.6.0"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24d159833a9105500e0398934e205e0773f0b27529557134ecfc51c27646adac"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
 dependencies = [
  "base64ct",
 ]
@@ -2577,21 +2577,20 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
 [[package]]
 name = "pkcs1"
-version = "0.4.1"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eff33bdbdfc54cc98a2eca766ebdec3e1b8fb7387523d5c9c9a2891da856f719"
+checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
 dependencies = [
  "der",
  "pkcs8",
  "spki",
- "zeroize",
 ]
 
 [[package]]
 name = "pkcs8"
-version = "0.9.0"
+version = "0.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9eca2c590a5f85da82668fa685c09ce2888b9430e83299debf1f34b65fd4a4ba"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
 dependencies = [
  "der",
  "spki",
@@ -2883,11 +2882,12 @@ dependencies = [
 
 [[package]]
 name = "rsa"
-version = "0.8.2"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "55a77d189da1fee555ad95b7e50e7457d91c0e089ec68ca69ad2989413bbdab4"
+checksum = "6ab43bb47d23c1a631b4b680199a45255dce26fa9ab2fa902581f624ff13e6a8"
 dependencies = [
  "byteorder",
+ "const-oid",
  "digest 0.10.6",
  "num-bigint-dig",
  "num-integer",
@@ -2897,6 +2897,7 @@ dependencies = [
  "pkcs8",
  "rand_core 0.6.4",
  "signature 2.1.0",
+ "spki",
  "subtle",
  "zeroize",
 ]
@@ -3416,9 +3417,9 @@ checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
 
 [[package]]
 name = "spki"
-version = "0.6.0"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67cf02bbac7a337dc36e4f5a693db6c21e7863f45070f7064577eb4367a3212b"
+checksum = "9d1e996ef02c474957d681f1b05213dfb0abab947b446a62d37770b23500184a"
 dependencies = [
  "base64ct",
  "der",
diff --git a/crates/tor-llcrypto/Cargo.toml b/crates/tor-llcrypto/Cargo.toml
index a9f4564e7..6ff914d84 100644
--- a/crates/tor-llcrypto/Cargo.toml
+++ b/crates/tor-llcrypto/Cargo.toml
@@ -38,7 +38,7 @@ hex = "0.4"
 old_rand_core = { package = "rand_core", version = "0.5.1" }
 openssl = { version = "0.10.48", optional = true }
 rand_core = "0.6.2"
-rsa = "0.8.0"
+rsa = "0.9.0"
 safelog = { version = "0.3.0", path = "../safelog" }
 serde = "1.0.103"
 sha1 = "0.10.0"
diff --git a/crates/tor-llcrypto/src/pk/rsa.rs b/crates/tor-llcrypto/src/pk/rsa.rs
index ac61e575a..41596d452 100644
--- a/crates/tor-llcrypto/src/pk/rsa.rs
+++ b/crates/tor-llcrypto/src/pk/rsa.rs
@@ -217,12 +217,12 @@ impl PublicKey {
     /// Return true iff the exponent for this key is the same
     /// number as 'e'.
     pub fn exponent_is(&self, e: u32) -> bool {
-        use rsa::PublicKeyParts;
+        use rsa::traits::PublicKeyParts;
         *self.0.e() == rsa::BigUint::new(vec![e])
     }
     /// Return the number of bits in the modulus for this key.
     pub fn bits(&self) -> usize {
-        use rsa::PublicKeyParts;
+        use rsa::traits::PublicKeyParts;
         self.0.n().bits()
     }
     /// Try to check a signature (as used in Tor.)  The signed hash
@@ -231,8 +231,7 @@ impl PublicKey {
     /// Tor uses RSA-PKCSv1 signatures, with hash algorithm OIDs
     /// omitted.
     pub fn verify(&self, hashed: &[u8], sig: &[u8]) -> Result<(), signature::Error> {
-        use rsa::PublicKey;
-        let padding = rsa::pkcs1v15::Pkcs1v15Sign::new_raw();
+        let padding = rsa::pkcs1v15::Pkcs1v15Sign::new_unprefixed();
         self.0
             .verify(padding, hashed, sig)
             .map_err(|_| signature::Error::new())
@@ -252,8 +251,8 @@ impl PublicKey {
     pub fn to_der(&self) -> Vec<u8> {
         // There seem to be version issues with these two
         // versions of bigint: yuck!
+        use rsa::traits::PublicKeyParts;
         use rsa::BigUint; // not the same as the one in simple_asn1.
-        use rsa::PublicKeyParts;
         use simple_asn1::{ASN1Block, BigInt};
         /// Helper: convert a BigUInt to signed asn1.
         fn to_asn1_int(x: &BigUint) -> ASN1Block {