-
Notifications
You must be signed in to change notification settings - Fork 736
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a wasm-compatible Rust TLS implementation #1430
Comments
Hello, I feel the third stage, Implementing the TLS Spec, is a huge milestone, and I'd like to begin by reviewing the rustls APIs. To take on this topic, one should get to know both rust-crypto and the TLS spec well. |
@TieWay59 I think one way to do is to fork the Rustls library, find out how Ring is used and swap Ring API calls for Rust Crypto. 😃 |
Here are some of my insights Adapt rustls rather than reimplement tls.TLS protocol is very huge. Reimplementation not only means a lot of work, but also may lack of security. Reuse rustls consider more better. What is problem in rustlsRustls highly coupled with Ring. However, many users of rustls want to replace Ring, which mean provide a crypto layer. rustls/rustls#521 talk about it. Which crypto layer to choose?May RustCrypto as a middle layer is good. However, it depends on the upstream. So what we need to doAbstract a set of cryptographic apis (I hope it's RustCrypto) in Rustls and pull request it upstream, so that upstream can use conditional compilation (provide an option like Main problemThe APIs of ring and rust-crypto and wasi-crypto are very different. For rustls, it fully coupled to ring, It also depend on webpki, we also need to adapt it. For wasi-crypto and rust-crypto, design is very different. Rust-crypto assume you owned resource, but wasi-crypto only let you get resource. We probably also need to pull request RustCrypto. |
Thank you @juntao & @sonder-joker, after simply going through the rustls code base, I agree that TLS protocol is too huge to reimplementation. I‘ll keep investigate into the code base of RustCrypto , rust-crypto and wasi-crypto spec to find more inspiration. |
For those who want to start working here, you can start by abstract traits that coupled with ring and webpki (for ring/webpki relative use |
Hi @sonder-joker, here is my progress: Since rustls have lots of dependence on the ring crate, I investigate all related lines to evaluate the scale of re-implementation and listed them in a table. It's a very verbose result so I keep it in my blog post. (see https://www.yuque.com/tieway59/xopdgg/zmkx5g)
As per my investigation, there are more structs than traits that need to be replaced. May I ask for further information about "abstract traits", I'm still not clear about it. Do you mean I should first focus on the trait provided by the ring crate? |
Hi @TieWay59 I think the idea was to create new layer of abstract API interface (traits) between Ring and Rustls. This way, we can use Ring and Rust Crypto to implement the same API. However, I also think this is perhaps more work than we can do. I think it is probably a good idea to provide WASI-crypto implementations of the same Rust API Ring provides to Rustls. That requires us to fork Rustls. That's what you want to do, right? Thanks. |
Thank you @juntao
Sorry for my late reply, and yes that's what I tend to build for this task. I wonder if it's reasonable to maintain a fork of Rustls in which we would replace all the Ring API with WASI-crypto implementations? IMHO, When the upstream Rustls updates, it will be difficult to merge incoming updates. Is it acceptable? What do you think of the practice? Thanks. |
Im just why is this true? i dont understand this area in general. i do see related tickets briansmith/ring#918 that indicate ring is partially working in wasm, but i dont see what keeps it from working totally fine in wasm. |
@rektide I would love to see Ring get compiled into wASM. But the issue have been under discussion for 3 years. Do you have insights in its latest development? Thanks! |
Would be great to see this reviewed: briansmith/ring#1568 |
Ring has been ported to wasm: https://github.com/jedisct1/ring-wasi But I'd really recommend using BoringSSL instead. It has excellent bindings for Rust. Or implement a new set of host functions specifically to perform HTTP queries. Maybe a safe, minimal subset of |
Hi @jedisct1 |
Hi @juntao and @L-jasmine |
Motivation
The WasmEdge networking socket API provides support for TCP and HTTP connections. But many web services today require HTTPS connections. That means we need to support TLS in WasmEdge. The Rustls crate is the most popular TLS implementation in Rust. However, Rustls is based on the Ring library, which cannot be compiled into WebAssembly.
In WasmEdge, we now support the wasi-crypto spec. That allows us to compile the rust-crypto library into WebAssembly and run on WasmEdge. The goal of this project is to create a Rust TLS implementation based on rust-crypto.
Specification
Qualifications
To apply this LFX mentorship, there are some minimum qualifications:
Appendix
The text was updated successfully, but these errors were encountered: