rcgen icon indicating copy to clipboard operation
rcgen copied to clipboard
verified publisher icon rustls

Support `CryptoProvider` like plugin mechanism

Open howardjohn opened this issue 1 year ago • 8 comments

https://github.com/rustls/rustls/issues/1540 in rustls provides a mechanism to plug in arbitrary crypto providers. While the in-tree ones only have ring and aws_lc_rs, mirroring rcgen, there are out of tree providers that can be used. However, if an application depends on rcgen, these benefits are negated (assuming a project requires all crypto to be done by a specific implementation).

It would be nice to have a pluggable model.

howardjohn avatar Feb 21 '24 16:02 howardjohn

Ah I missed https://github.com/rustls/rcgen/pull/208 which is a step in the direction (sort of)

howardjohn avatar Feb 21 '24 16:02 howardjohn

I personally think this makes sense to implement and see #208 and https://github.com/rustls/rcgen/pull/223 as steps in that general direction. I think there are some other old issues that would benefit from a solution here too (e.g. https://github.com/rustls/rcgen/issues/60, https://github.com/rustls/rcgen/issues/74)

Are you interesting in contributing a PR for something analogous to the rustls CryptoProvider trait?

cpu avatar Feb 21 '24 16:02 cpu

I would like to work on this. Does it make sense to share (part of) this trait with the rustls? For example KeyProvider seems relevant.

HKalbasi avatar May 08 '24 11:05 HKalbasi

What is your motivation to work on this/what's the use case/what problem are you trying to solve?

djc avatar May 09 '24 12:05 djc

My motivation is basically #60. Latest time I used rcgen, it was unable to create certificate with some specific crypto algorithm, so I kept a C++ dependency which I want to remove in long term and replace it with rcgen.

HKalbasi avatar May 09 '24 15:05 HKalbasi

Having the ability to add support for unknown algorithms is a different use case from wanting this plugin mechanism to use one specific crypto implementation.

I think the best way forward is to ask the aws_lc_rs bindings crate to extend the API to the algorithms you require, and rcgen can then add support for those algorithms in the main branch.

est31 avatar May 09 '24 16:05 est31

@HKalbasi which algorithm(s) do you need?

djc avatar May 09 '24 16:05 djc

I thought this issue is precondition to using aws_lc_rs in rcgen. It has been a while since latest time I tried rcgen, now that aws_lc_rs is supported, it might be possible that now my problem is resolved. I will retry and ask the aws_lc_rs if the algorithm was not supported.

HKalbasi avatar May 09 '24 20:05 HKalbasi