Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make *ring* optional, and demonstrate how alternatives would be integrated #1405

Merged
merged 9 commits into from
Sep 13, 2023
Merged

Make *ring* optional, and demonstrate how alternatives would be integrated #1405

merged 9 commits into from
Sep 13, 2023

Commits on Sep 13, 2023

  1. Move crate::sign to crate::crypto::signer

    @ctz
    ctz committed Sep 13, 2023
    Configuration menu
    Copy the full SHA
    e7b1a36 View commit details
    Browse the repository at this point in the history

  2. Move ring-backed signature keys to crypto::ring

    @ctz
    ctz committed Sep 13, 2023
    Configuration menu
    Copy the full SHA
    eeee58b View commit details
    Browse the repository at this point in the history

  3. Remove ring use in handshake_test.rs

    @ctz
    ctz committed Sep 13, 2023
    Configuration menu
    Copy the full SHA
    db7aebc View commit details
    Browse the repository at this point in the history

  4. Make *ring* an optional dependency 

    Using the crate without this feature means something external
needs to provide all the cryptography, and (eg) convenient integrated
key loading APIs disappear.
    @ctz
    ctz committed Sep 13, 2023
    Configuration menu
    Copy the full SHA
    6ed9920 View commit details
    Browse the repository at this point in the history

  5. Allow control of which pki_types::SignatureVerificationAlgorithms a… 

    …re used

The prior arrangements are still available (and the default), if the
crate is built with the *ring* feature.

`WebPkiSupportedAlgorithms` is a new structure (designed for static
construction, and direct use in webpki calls) that links
`pki_types::SignatureVerificationAlgorithm`s to their corresponding TLS `SignatureScheme`.
This replaces the hardcoded mappings in `fn convert_scheme` etc.
    @ctz
    ctz committed Sep 13, 2023
    Configuration menu
    Copy the full SHA
    19e4fa6 View commit details
    Browse the repository at this point in the history

  6. OpaqueMessage: allow construction without exposing Payload

    @ctz
    ctz committed Sep 13, 2023
    Configuration menu
    Copy the full SHA
    52ff7a6 View commit details
    Browse the repository at this point in the history

  7. OpaqueMessage: privatize payload type 

    This removes a further need for `Payload` to be understood outside
this crate.  `payload()` allows immutable access as a slice,
`payload_mut()` allows mutable access to the underlying vec (such
as needed to decrypt the message without a copy).
    @ctz
    ctz committed Sep 13, 2023
    Configuration menu
    Copy the full SHA
    ea5fa26 View commit details
    Browse the repository at this point in the history

  8. crypto::Iv::copy: allow use outside crate

    @ctz
    ctz committed Sep 13, 2023
    Configuration menu
    Copy the full SHA
    e72e155 View commit details
    Browse the repository at this point in the history

  9. Add demonstration of custom crypto 

    This is an example that builds a mostly-unchanged rustls example
(simpleclient), but only using crypto from the rust-crypto project
and elsewhere.

This is intended to be minimalistic, and not a complete replacement
for *ring*.

It implements:

- TLS1.3 TLS13_CHACHA20_POLY1305_SHA256 cipher suite.
- TLS1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suite.
- X25519 key exchange.
- RSA-PSS-SHA256 and RSA-PKCS1-SHA256 signature verification for
  verifying the server, integrated into the webpki crate.
- random generation using `rand_core`.

This means it can fetch www.rust-lang.org.

TLS1.2 is not strictly necessary for this server, but serves to
demonstrate that part of the API.
    @ctz
    ctz committed Sep 13, 2023
    Configuration menu
    Copy the full SHA
    78295cf View commit details
    Browse the repository at this point in the history