pub struct CryptoProvider {
pub cipher_suites: Vec<SupportedCipherSuite>,
pub kx_groups: Vec<&'static dyn SupportedKxGroup>,
pub signature_verification_algorithms: WebPkiSupportedAlgorithms,
pub secure_random: &'static dyn SecureRandom,
pub key_provider: &'static dyn KeyProvider,
}Controls core cryptography used by rustls.
This crate comes with two built-in options, provided as CryptoProvider structures:
crypto::aws_lc_rs::default_provider: (behind the aws_lc_rs crate feature, which is enabled by default). This provider uses the aws-lc-rs crate. The fips crate feature makes this option use FIPS140-3-approved cryptography.crypto::ring::default_provider: (behind the ring crate feature, which is optional). This provider uses the ring crate.This structure provides defaults. Everything in it can be overridden at runtime by replacing field values as needed.
§Using the per-process defaultCryptoProvider
There is the concept of an implicit default provider, configured at run-time once in a given process.
It is used for functions like ClientConfig::builder() and ServerConfig::builder().
The intention is that an application can specify the CryptoProvider they wish to use once, and have that apply to the variety of places where their application does TLS (which may be wrapped inside other libraries). They should do this by calling CryptoProvider::install_default() early on.
To achieve this goal:
ClientConfig::builder()/ServerConfig::builder() or otherwise rely on the CryptoProvider::get_default() provider.CryptoProvider::install_default() early in their fn main(). If applications uses a custom provider based on the one built-in, they can activate the custom-provider feature to ensure its usage.CryptoProvider
Supply the provider when constructing your ClientConfig or ServerConfig:
When creating and configuring a webpki-backed client or server certificate verifier, a choice of provider is also needed to start the configuration process:
client::WebPkiServerVerifier::builder_with_provider()server::WebPkiClientVerifier::builder_with_provider()If you install a custom provider and want to avoid any accidental use of a built-in provider, the feature custom-provider can be activated to ensure your custom provider is used everywhere and not a built-in one. This will disable any implicit use of a built-in provider.
CryptoProvider
Your goal will be to populate an instance of this CryptoProvider struct.
There is no requirement that the individual elements (SupportedCipherSuite, SupportedKxGroup, SigningKey, etc.) come from the same crate. It is allowed and expected that uninteresting elements would be delegated back to one of the default providers (statically) or a parent provider (dynamically).
For example, if we want to make a provider that just overrides key loading in the config builder API (with ConfigBuilder::with_single_cert, etc.), it might look like this:
use rustls::crypto::aws_lc_rs;
pub fn provider() -> rustls::crypto::CryptoProvider {
rustls::crypto::CryptoProvider{
key_provider: &HsmKeyLoader,
..aws_lc_rs::default_provider()
}
}
#[derive(Debug)]
struct HsmKeyLoader;
impl rustls::crypto::KeyProvider for HsmKeyLoader {
fn load_private_key(&self, key_der: pki_types::PrivateKeyDer<'static>) -> Result<Arc<dyn rustls::sign::SigningKey>, rustls::Error> {
fictious_hsm_api::load_private_key(key_der)
}
}The elements are documented separately:
crypto::SecureRandom::fill().SupportedCipherSuite, Tls12CipherSuite, and Tls13CipherSuite.crypto::SupportedKxGroup.crypto::WebPkiSupportedAlgorithms.crypto::KeyProvider::load_private_key() and sign::SigningKey.See custom provider-example/ for a full client and server example that uses cryptography from the RustCrypto and dalek-cryptography projects.
$ cargo run --example client | head -3
Current ciphersuite: TLS13_CHACHA20_POLY1305_SHA256
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 19899The fips crate feature enables use of the aws-lc-rs crate in FIPS mode.
You can verify the configuration at runtime by checking ServerConfig::fips()/ClientConfig::fips() return true.
List of supported ciphersuites, in preference order – the first element is the highest priority.
The SupportedCipherSuite type carries both configuration and implementation.
A valid CryptoProvider must ensure that all cipher suites are accompanied by at least one matching key exchange group in CryptoProvider::kx_groups.
List of supported key exchange groups, in preference order – the first element is the highest priority.
The first element in this list is the default key share algorithm, and in TLS1.3 a key share for it is sent in the client hello.
The SupportedKxGroup type carries both configuration and implementation.
secure_random: &'static dyn SecureRandom
Source of cryptographically secure random numbers.
Provider for loading private SigningKeys from PrivateKeyDer.
Sets this CryptoProvider as the default for this process.
This can be called successfully at most once in any process execution.
Call this early in your process to configure which provider is used for the provider. The configuration should happen before any use of ClientConfig::builder() or ServerConfig::builder().
Returns the default CryptoProvider for this process.
This will be None if no default has been set yet.
Returns true if this CryptoProvider is operating in FIPS mode.
This covers only the cryptographic parts of FIPS approval. There are also TLS protocol-level recommendations made by NIST. You should prefer to call ClientConfig::fips() or ServerConfig::fips() which take these into account.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4