diff --git a/Cargo.toml b/Cargo.toml index 92178dd9..04163f50 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -26,6 +26,7 @@ base64 = "0.22" # For PEM decoding pem = { version = "3", optional = true } simple_asn1 = { version = "0.6", optional = true } +aws-lc-rs = { version = "1.8.1", optional = true } [target.'cfg(not(target_arch = "wasm32"))'.dependencies] ring = { version = "0.17.4", features = ["std"] } @@ -50,6 +51,7 @@ criterion = { version = "0.4", default-features = false } [features] default = ["use_pem"] use_pem = ["pem", "simple_asn1"] +aws_lc_rs = ["dep:aws-lc-rs"] [[bench]] name = "jwt" diff --git a/src/crypto/core.rs b/src/crypto/core.rs new file mode 100644 index 00000000..5edb2265 --- /dev/null +++ b/src/crypto/core.rs @@ -0,0 +1,47 @@ +#[cfg(all(feature = "aws_lc_rs", not(any(target_arch = "wasm32", target_os = "windows"))))] +pub(crate) mod dep { + pub(crate) use ::aws_lc_rs::{constant_time, error, hmac, rand}; + + pub(crate) mod signature { + pub(crate) use ::aws_lc_rs::signature::*; + + #[inline] + pub(crate) fn ecdsa_key_pair_from_pkcs8( + alg: &'static EcdsaSigningAlgorithm, + pkcs8: &[u8], + _rng: &dyn ::aws_lc_rs::rand::SecureRandom, + ) -> Result { + EcdsaKeyPair::from_pkcs8(alg, pkcs8) + } + + #[inline] + pub(crate) fn rsa_key_pair_public_modulus_len(key_pair: &RsaKeyPair) -> usize { + key_pair.public_modulus_len() + } + } +} + +#[cfg(not(all(feature = "aws_lc_rs", not(any(target_arch = "wasm32", target_os = "windows")))))] +pub(crate) mod dep { + pub(crate) use ::ring::{constant_time, error, hmac, rand}; + + pub(crate) mod signature { + pub(crate) use ::ring::signature::*; + + #[inline] + pub(crate) fn ecdsa_key_pair_from_pkcs8( + alg: &'static EcdsaSigningAlgorithm, + pkcs8: &[u8], + rng: &dyn ::ring::rand::SecureRandom, + ) -> Result { + EcdsaKeyPair::from_pkcs8(alg, pkcs8, rng) + } + + #[inline] + pub(crate) fn rsa_key_pair_public_modulus_len(key_pair: &RsaKeyPair) -> usize { + key_pair.public().modulus_len() + } + } +} + +pub(crate) use dep::*; diff --git a/src/crypto/ecdsa.rs b/src/crypto/ecdsa.rs index 99b92fc6..c1d56381 100644 --- a/src/crypto/ecdsa.rs +++ b/src/crypto/ecdsa.rs @@ -1,6 +1,5 @@ -use ring::{rand, signature}; - use crate::algorithms::Algorithm; +use crate::crypto::core::{rand, signature}; use crate::errors::Result; use crate::serialization::b64_encode; @@ -32,7 +31,7 @@ pub fn sign( message: &[u8], ) -> Result { let rng = rand::SystemRandom::new(); - let signing_key = signature::EcdsaKeyPair::from_pkcs8(alg, key, &rng)?; + let signing_key = signature::ecdsa_key_pair_from_pkcs8(alg, key, &rng)?; let out = signing_key.sign(&rng, message)?; Ok(b64_encode(out)) } diff --git a/src/crypto/eddsa.rs b/src/crypto/eddsa.rs index 7c185347..048364b0 100644 --- a/src/crypto/eddsa.rs +++ b/src/crypto/eddsa.rs @@ -1,6 +1,5 @@ -use ring::signature; - use crate::algorithms::Algorithm; +use crate::crypto::core::signature; use crate::errors::Result; use crate::serialization::b64_encode; diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs index c2957dc8..c8a03db0 100644 --- a/src/crypto/mod.rs +++ b/src/crypto/mod.rs @@ -1,12 +1,12 @@ -use ring::constant_time::verify_slices_are_equal; -use ring::{hmac, signature}; - use crate::algorithms::Algorithm; +use crate::crypto::core::constant_time::verify_slices_are_equal; +use crate::crypto::core::{hmac, signature}; use crate::decoding::{DecodingKey, DecodingKeyKind}; use crate::encoding::EncodingKey; use crate::errors::Result; use crate::serialization::{b64_decode, b64_encode}; +pub(crate) mod core; pub(crate) mod ecdsa; pub(crate) mod eddsa; pub(crate) mod rsa; diff --git a/src/crypto/rsa.rs b/src/crypto/rsa.rs index 4c97db3c..4dd84a27 100644 --- a/src/crypto/rsa.rs +++ b/src/crypto/rsa.rs @@ -1,6 +1,5 @@ -use ring::{rand, signature}; - use crate::algorithms::Algorithm; +use crate::crypto::core::{rand, signature}; use crate::errors::{ErrorKind, Result}; use crate::serialization::{b64_decode, b64_encode}; @@ -41,7 +40,7 @@ pub(crate) fn sign( let key_pair = signature::RsaKeyPair::from_der(key) .map_err(|e| ErrorKind::InvalidRsaKey(e.to_string()))?; - let mut signature = vec![0; key_pair.public().modulus_len()]; + let mut signature = vec![0; signature::rsa_key_pair_public_modulus_len(&key_pair)]; let rng = rand::SystemRandom::new(); key_pair.sign(alg, &rng, message, &mut signature).map_err(|_| ErrorKind::RsaFailedSigning)?; diff --git a/src/errors.rs b/src/errors.rs index 2edd7df5..45516f32 100644 --- a/src/errors.rs +++ b/src/errors.rs @@ -77,7 +77,7 @@ pub enum ErrorKind { /// Some of the text was invalid UTF-8 Utf8(::std::string::FromUtf8Error), /// Something unspecified went wrong with crypto - Crypto(::ring::error::Unspecified), + Crypto(crate::crypto::core::error::Unspecified), } impl StdError for Error { @@ -159,14 +159,14 @@ impl From<::std::string::FromUtf8Error> for Error { } } -impl From<::ring::error::Unspecified> for Error { - fn from(err: ::ring::error::Unspecified) -> Error { +impl From for Error { + fn from(err: crate::crypto::core::error::Unspecified) -> Error { new_error(ErrorKind::Crypto(err)) } } -impl From<::ring::error::KeyRejected> for Error { - fn from(_err: ::ring::error::KeyRejected) -> Error { +impl From for Error { + fn from(_err: crate::crypto::core::error::KeyRejected) -> Error { new_error(ErrorKind::InvalidEcdsaKey) } }