Hide algorithms behind features #98
Conversation
|
This crate is made and solely intended for TLS context only through rustls. These ciphesuites are mandatory to implement and making them opt-in is not gonna work and goes against the intended use. |
|
OK, so if someone wants to use RustCrypto primitives as providers for the The obvious thing would be to simply create a new crate, and copy-paste the implementations from here. Is that what you'd recommend? |
|
I think you two are talking past each other. MTI algorithms shouldn’t be made optional. Others can be. |
|
OK, so if we make ED25519, X25519, P-384, and RSA support optional (as they're not required by TLS 1.3), and keep just AES, SHA-2, and P-256 as required, would that be acceptable? |
|
(and RSA as required, I forgot that TLS 1.3 requires it as well) |
|
Alternatively, what if you simply hide TLS support itself behind a (default) feature? Basically, if you enable |
3 participants
This changes allows you to select which algorithms are supported using Cargo features. By default, the newly added features are all selected, so there should be no functional/API changes.
The motivating factor was that I wanted to use
rustls-webpkicrate for X.509 Certificate Path Validation algorithm in a context other than TLS. For that, I don't need any of the AES/ChaCha20 etc support, and I don't want to pull these libraries into my SBOM.In addition, to support the above, the change also exposes
SignatureVerificationAlgorithms fromverify::{rsa,ecdsa,eddsa}modules through public API.One change I made was to remove
SignatureScheme::ECDSA_NISTP521_SHA512fromTLS12_ECDSA_SCHEMESlist: this is not actually supported by this provider, and correct me if I'm wrong, but I think it got there by mistake.Two questions:
#[cfg(...)]to remove them. I currently went with 1), because 2) is bad, 3) makes the code unreadable because almost all of the symbols need to be qualified, and 4) requires a lot of extra cfg flags. Please let me know if you'd like me to implement 3 or 4.