instant-labs
/
instant-acme
mirror of https://github.com/instant-labs/instant-acme.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add aws_lc_rs feature and set it as default (#56)

This commit is contained in:
Sajjad (Sage) Pourali 2024-07-16 03:39:53 -04:00 committed by GitHub
parent 2a3ea513a7
commit a9c8fc4dbc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 42 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/rust.yml vendored
View File

@ -21,12 +21,17 @@ jobs:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
env:
AWS_LC_SYS_NO_ASM: 1
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master - uses: dtolnay/rust-toolchain@master
with: with:
toolchain: ${{ matrix.rust }} toolchain: ${{ matrix.rust }}
- run: cargo test --all-features --all-targets - run: cargo check
- run: cargo test
- run: cargo test --no-default-features --features hyper-rustls,aws-lc-rs
msrv: msrv:
runs-on: ubuntu-latest runs-on: ubuntu-latest

14
Cargo.toml
View File

@ -12,15 +12,19 @@ keywords = ["letsencrypt", "acme"]
categories = ["web-programming", "api-bindings"] categories = ["web-programming", "api-bindings"]
[features] [features]
default = ["hyper-rustls"] default = ["hyper-rustls", "ring"]
ring = ["dep:ring", "hyper-rustls?/ring", "rcgen/ring"]
aws-lc-rs = ["dep:aws-lc-rs", "hyper-rustls?/aws-lc-rs", "rcgen/aws_lc_rs"]
fips = ["aws-lc-rs", "aws-lc-rs?/fips"]
[dependencies] [dependencies]
aws-lc-rs = { version = "1.8.0", optional = true }
base64 = "0.21.0" base64 = "0.21.0"
hyper = { version = "1.3.1", features = ["client", "http1", "http2"] } hyper = { version = "1.3.1", features = ["client", "http1", "http2"] }
hyper-rustls = { version = "0.27", default-features = false, features = ["http1", "http2", "native-tokio", "tls12", "rustls-native-certs", "ring"], optional = true } hyper-rustls = { version = "0.27", default-features = false, features = ["http1", "http2", "native-tokio", "tls12", "rustls-native-certs"], optional = true }
hyper-util = { version = "0.1.5", features = ["client", "client-legacy", "http1", "http2", "tokio"]} hyper-util = { version = "0.1.5", features = ["client", "client-legacy", "http1", "http2", "tokio"] }
http-body-util = "0.1.2" http-body-util = "0.1.2"
ring = { version = "0.17", features = ["std"] } ring = { version = "0.17", features = ["std"], optional = true }
rustls-pki-types = "1.1.0" rustls-pki-types = "1.1.0"
serde = { version = "1.0.104", features = ["derive"] } serde = { version = "1.0.104", features = ["derive"] }
serde_json = "1.0.78" serde_json = "1.0.78"
@ -29,7 +33,7 @@ thiserror = "1.0.30"
[dev-dependencies] [dev-dependencies]
anyhow = "1.0.66" anyhow = "1.0.66"
clap = { version = "4.0.29", features = ["derive"] } clap = { version = "4.0.29", features = ["derive"] }
rcgen = "0.12" rcgen = { version = "0.12", default-features = false, features = ["pem"] }
tokio = { version = "1.22.0", features = ["macros", "rt", "rt-multi-thread", "time"] } tokio = { version = "1.22.0", features = ["macros", "rt", "rt-multi-thread", "time"] }
tracing = "0.1.37" tracing = "0.1.37"
tracing-subscriber = "0.3.16" tracing-subscriber = "0.3.16"

27
src/lib.rs
View File

@ -3,6 +3,10 @@
#![warn(unreachable_pub)] #![warn(unreachable_pub)]
#![warn(missing_docs)] #![warn(missing_docs)]
#[cfg(feature = "aws-lc-rs")]
pub(crate) use aws_lc_rs as ring_like;
#[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))]
pub(crate) use ring as ring_like;
use std::fmt; use std::fmt;
use std::future::Future; use std::future::Future;
use std::pin::Pin; use std::pin::Pin;
@ -13,14 +17,14 @@ use http_body_util::{BodyExt, Full};
use hyper::body::{Bytes, Incoming}; use hyper::body::{Bytes, Incoming};
use hyper::header::{CONTENT_TYPE, LOCATION}; use hyper::header::{CONTENT_TYPE, LOCATION};
use hyper::{Method, Request, Response, StatusCode}; use hyper::{Method, Request, Response, StatusCode};
#[cfg(feature = "hyper-rustls")] use hyper_util::client::legacy::connect::Connect;
use hyper_util::client::legacy::connect::{Connect, HttpConnector};
use hyper_util::client::legacy::Client as HyperClient; use hyper_util::client::legacy::Client as HyperClient;
use hyper_util::rt::TokioExecutor; #[cfg(feature = "hyper-rustls")]
use ring::digest::{digest, SHA256}; use hyper_util::{client::legacy::connect::HttpConnector, rt::TokioExecutor};
use ring::rand::SystemRandom; use ring_like::digest::{digest, SHA256};
use ring::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING}; use ring_like::rand::SystemRandom;
use ring::{hmac, pkcs8}; use ring_like::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING};
use ring_like::{hmac, pkcs8};
use serde::de::DeserializeOwned; use serde::de::DeserializeOwned;
use serde::Serialize; use serde::Serialize;
@ -555,7 +559,10 @@ impl Key {
fn generate() -> Result<(Self, pkcs8::Document), Error> { fn generate() -> Result<(Self, pkcs8::Document), Error> {
let rng = SystemRandom::new(); let rng = SystemRandom::new();
let pkcs8 = EcdsaKeyPair::generate_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, &rng)?; let pkcs8 = EcdsaKeyPair::generate_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, &rng)?;
#[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))]
let key = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, pkcs8.as_ref(), &rng)?; let key = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, pkcs8.as_ref(), &rng)?;
#[cfg(feature = "aws-lc-rs")]
let key = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, pkcs8.as_ref())?;
let thumb = BASE64_URL_SAFE_NO_PAD.encode(Jwk::thumb_sha256(&key)?); let thumb = BASE64_URL_SAFE_NO_PAD.encode(Jwk::thumb_sha256(&key)?);
Ok(( Ok((
@ -571,7 +578,11 @@ impl Key {
fn from_pkcs8_der(pkcs8_der: &[u8]) -> Result<Self, Error> { fn from_pkcs8_der(pkcs8_der: &[u8]) -> Result<Self, Error> {
let rng = SystemRandom::new(); let rng = SystemRandom::new();
#[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))]
let key = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, pkcs8_der, &rng)?; let key = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, pkcs8_der, &rng)?;
#[cfg(feature = "aws-lc-rs")]
let key = EcdsaKeyPair::from_pkcs8(&ECDSA_P256_SHA256_FIXED_SIGNING, pkcs8_der)?;
let thumb = BASE64_URL_SAFE_NO_PAD.encode(Jwk::thumb_sha256(&key)?); let thumb = BASE64_URL_SAFE_NO_PAD.encode(Jwk::thumb_sha256(&key)?);
Ok(Self { Ok(Self {
@ -584,7 +595,7 @@ impl Key {
} }
impl Signer for Key { impl Signer for Key {
type Signature = ring::signature::Signature; type Signature = ring_like::signature::Signature;
fn header<'n, 'u: 'n, 's: 'u>(&'s self, nonce: Option<&'n str>, url: &'u str) -> Header<'n> { fn header<'n, 'u: 'n, 's: 'u>(&'s self, nonce: Option<&'n str>, url: &'u str) -> Header<'n> {
debug_assert!(nonce.is_some()); debug_assert!(nonce.is_some());

12
src/types.rs
View File

@ -1,11 +1,15 @@
use std::fmt; use std::fmt;
#[cfg(feature = "aws-lc-rs")]
pub(crate) use aws_lc_rs as ring_like;
use base64::prelude::{Engine, BASE64_URL_SAFE_NO_PAD}; use base64::prelude::{Engine, BASE64_URL_SAFE_NO_PAD};
use http_body_util::BodyExt; use http_body_util::BodyExt;
use hyper::body::Incoming; use hyper::body::Incoming;
use hyper::Response; use hyper::Response;
use ring::digest::{digest, Digest, SHA256}; #[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))]
use ring::signature::{EcdsaKeyPair, KeyPair}; pub(crate) use ring as ring_like;
use ring_like::digest::{digest, Digest, SHA256};
use ring_like::signature::{EcdsaKeyPair, KeyPair};
use rustls_pki_types::CertificateDer; use rustls_pki_types::CertificateDer;
use serde::de::DeserializeOwned; use serde::de::DeserializeOwned;
use serde::ser::SerializeMap; use serde::ser::SerializeMap;
@ -25,10 +29,10 @@ pub enum Error {
Base64(#[from] base64::DecodeError), Base64(#[from] base64::DecodeError),
/// Failed from cryptographic operations /// Failed from cryptographic operations
#[error("cryptographic operation failed: {0}")] #[error("cryptographic operation failed: {0}")]
Crypto(#[from] ring::error::Unspecified), Crypto(#[from] ring_like::error::Unspecified),
/// Failed to instantiate a private key /// Failed to instantiate a private key
#[error("invalid key bytes: {0}")] #[error("invalid key bytes: {0}")]
CryptoKey(#[from] ring::error::KeyRejected), CryptoKey(#[from] ring_like::error::KeyRejected),
/// HTTP failure /// HTTP failure
#[error("HTTP request failure: {0}")] #[error("HTTP request failure: {0}")]
Http(#[from] hyper::http::Error), Http(#[from] hyper::http::Error),