chore: add wasm32-unknown-unknown compatibility#20
Merged
Conversation
ring doesn't compile on wasm32-unknown-unknown (requires clang for C asm). Move ring to a target-conditional dep (native only), add aes-gcm from RustCrypto for wasm32. Both produce identical AES-256-GCM wire format: [nonce(12)][ciphertext][auth_tag(16)] Native targets continue using ring for hardware-accelerated performance. wasm32 targets use aes-gcm (pure Rust) when wasm+encryption features active. key_derivation.rs unchanged — already uses RustCrypto hkdf/sha2, compiles on both targets without modification.
- Fold aes-gcm/getrandom into encryption feature (no separate wasm flag needed) - Enable zeroize on aes/aes-gcm deps (scrub round keys on drop) - Add cross-backend wire format test (ring <-> aes-gcm roundtrip) - Remove dead cfg guards inside native-only functions - Consistency: error messages, min length expression, doc comments
cbindgen 0.29.2 pulls clap 4.6.0 which requires edition2024 (stabilized in Rust 1.85, Feb 2025). Pinning transitive deps is fragile; bumping MSRV is the correct fix.
aes-gcm brings in getrandom 0.2.x (via crypto-common), proptest uses 0.3.x, and tempfile/cbindgen uses 0.4.x. Updated skip entries to use semver ranges instead of exact versions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Instantunavailable on wasm32, metrics default to 0)Cell<u64>nonce counter fallback for wasm32 (replacesAtomicU64, seeded withgetrandom)aes-gcmas wasm32 encryption backend (ring requires clang/C asm, doesn't compile on wasm32)zeroizeonaes/aes-gcmdeps (scrub round keys on drop)encryptionfeature (no separatewasmflag needed)Motivation
The upcoming
cachekit-rsRust SDK targets both native and Cloudflare Workers (wasm32).cachekit-coremust compile onwasm32-unknown-unknownwith encryption support.Architecture
ringfor AES-256-GCM (hardware-accelerated)aes-gcmfrom RustCrypto (pure Rust, compiles on all targets)nonce(12) || ciphertext || tag(16)encryption/core.rsBreaking Changes
None. Public API unchanged. Existing consumers (PyO3, N-API) unaffected — they only use native targets.
Test plan
cargo test --features encryption)cargo check --target wasm32-unknown-unknown --features encryption --no-default-features)wasm-pack test --node, deferred to CI)