Allow library users to bring their own crypto providers#268
Allow library users to bring their own crypto providers#268jcgruenhage wants to merge 9 commits intodjc:mainfrom
Conversation
|
To pass the semver check, just add a commit that bumps the version to 0.9.0, please. |
|
@djc do you have a preference regarding commits? Should I address the feedback in new commits, or are you fine with force pushes that amend existing commits? |
|
I generally prefer clean commits that do one thing, so would definitely prefer force pushes over addressing feedback in separate commits. |
jcgruenhage
force-pushed
the
crypto-providers
branch
from
e3e6ffe to
f91a0d8
Compare
|
I have locally tested this with an openssl provider and a CLI that creates and deactivates accounts on letsencrypt staging, with 2k/3k/4k RSA and P-256/P-384 key types, including cross key rollover, so I'm removing the draft state. I'll push another time for working on the remaining unaddressed comments and splitting up the changes a bit further to help with reviewing the code. |
jcgruenhage
force-pushed
the
crypto-providers
branch
2 times, most recently
from
06fc20c to
0013fea
Compare
djc
left a comment
djc
left a comment
There was a problem hiding this comment.
Looking good, appreciate the clean commit history!
src/crypto.rs
Outdated
| } | ||
|
|
||
| #[cfg(feature = "ring")] | ||
| mod backend_ring { |
There was a problem hiding this comment.
Nit: rename these to ring_crypto and aws_lc_rs_crypto maybe?
There was a problem hiding this comment.
I've instead moved them to modules called ring and aws_lc_rs, nested beneath crypto. The benefit is that it allows easily diffing the two fairly similar modules.
|
I'd like to give this branch a review as well, but won't have a chance for a couple days. Probably best to address djc's feedback up-front anyway :-) |
Yup, won't merge without your review. |
jcgruenhage
force-pushed
the
crypto-providers
branch
from
0013fea to
5ea6432
Compare
This allows providers of custom `CryptoProvider`s to also support other algorithms, like EdDSA and RSA.
jcgruenhage
force-pushed
the
crypto-providers
branch
from
5ea6432 to
b8299f2
Compare
cpu
left a comment
cpu
left a comment
There was a problem hiding this comment.
This is really nice work, thank you!
I had a fair amount of feedback but I don't think any of it is super substantial.
src/types.rs
Outdated
| impl Jwk { | ||
| pub(crate) fn new(key: &crypto::EcdsaKeyPair) -> Self { | ||
| impl Jwk<'_> { | ||
| pub(crate) fn new(key: &crypto::EcdsaKeyPair) -> Jwk<'_> { |
There was a problem hiding this comment.
Does this need to change from Self because of the lifetime?
| #[cfg(feature = "ring")] | ||
| mod ring; | ||
|
|
||
| /// Cryptographic provider for ACME operations. |
There was a problem hiding this comment.
It feels like it might be worth a sentence or two describing how this differs from a Rustls cryptography provider used for the TLS operations required for the ACME server HTTPS API, as opposed to the crypto operations required for the ACME protocol. WDYT?
| } | ||
| } | ||
|
|
||
| struct BuiltinSha256; |
There was a problem hiding this comment.
nit: the "Builtin" part of this type name (and the HMAC) one seems a bit odd to me. Could we drop it? (Ditto for the ring mod equivalents)
| static NEXT_PORT: AtomicU16 = AtomicU16::new(5555); | ||
| const RETRY_POLICY: RetryPolicy = RetryPolicy::new().backoff(1.0); | ||
|
|
||
| fn test_provider() -> &'static CryptoProvider { |
There was a problem hiding this comment.
nit: put this above the static/consts?
| pub struct KeyAuthorization(String); | ||
| pub struct KeyAuthorization { | ||
| inner: String, | ||
| sha256: &'static dyn Sha256, |
There was a problem hiding this comment.
Would it be feasible/better to pre-compute the SHA256 in new() instead of holding on to the dyn Sha256 ref?
| /// Key type, must be `"OKP"` | ||
| kty: &'static str, |
There was a problem hiding this comment.
If the field must always be a certain value, should we maybe handle it ourselves in the Jwk.thumb_sha256 based on self.alg or the variant of self.key? I think it means we'd have to have an internal type that has the kty field for the purposes of serde_json, but it removes one potential source of error from a buggy crypto provider. That seems lightly worth it to me, especially given how many footguns exist in JWS w.r.t "alg: none" and similar :-/
Same feedback applies to the Rsa.kty and Ec.kty fields if you think it's worth considering.
There was a problem hiding this comment.
Yeah, that sounds like an improvement.
3 participants
Implements base for #267, allowing users to bring their own crypto.
Marked as draft for now, will un-draft once I've implemented (and tested) backends with other crypto libraries, like openssl and rustcrypto to validate this approach is viable.