fix: Make openssl and rust_native_crypto features additive (#1379)

* fix: make `openssl` and `rust_native_crypto` features additive

* style: alphabetize openssl feature

* docs: document openssl and rust_native_crypto features

* docs: fix typo

Author: ok-nick

docs/usage.md

@@ -34,6 +34,8 @@ c2pa = { version = "0.45.2", features = ["file_io", "add_thumbnails"] }
 
 The Rust library crate provides the following capabilities:
 
+* `openssl` *(enabled by default)* - Enables the system `openssl` implementation for cryptography.
+* `rust_native_crypto` - Enables the Rust native implementation for cryptography.
 * `add_thumbnails` generates thumbnails automatically for JPEG and PNG files. (no longer included with `file_io`)
 * `fetch_remote_manifests` enables the verification step to retrieve externally referenced manifest stores.  External manifests are only fetched if there is no embedded manifest store and no locally adjacent .c2pa manifest store file of the same name.
 * `file_io` enables manifest generation, signing via OpenSSL, and embedding manifests in [supported file formats](supported-formats.md).
@@ -43,6 +45,10 @@ The Rust library crate provides the following capabilities:
 * `v1_api` - Use the old API (which will soon be deprecated) instead of the [new API](release-notes.md#new-api).
 * `pdf` - Enable support for reading claims on PDF files.
 
+> [!NOTE]
+> If both `rust_native_crypto` and `openssl` are enabled, it will default to `rust_native_crypto`.
+> It is recommended to disable default features when using `rust_native_crypto` as to avoid including `openssl` as a dependency.
+
 ### New API
 
 The new API is now enabled by default. The `unstable_api` feature is no longer available.
@@ -78,7 +84,7 @@ When `file_io` is enabled, the lack of a scheme will be interpreted as a `file:/
 
 ### Source asset vs parent asset
 
-The source asset isn't always the parent asset: The source asset is the asset that is hashed and signed. It can be the output from an editing application that has not preserved the manifest store from the parent. In that case, the application should have extracted a parent ingredient from the parent asset and added that to the manifest definition. 
+The source asset isn't always the parent asset: The source asset is the asset that is hashed and signed. It can be the output from an editing application that has not preserved the manifest store from the parent. In that case, the application should have extracted a parent ingredient from the parent asset and added that to the manifest definition.
 
 - Parent asset: with a manifest store.
 - Parent ingredient: generated from that parent asset (hashed and validated)
@@ -90,7 +96,7 @@ If there is no parent ingredient defined, and the source has a manifest store, t
 ### Remote URLs and embedding
 
 The default operation of C2PA signing is to embed a C2PA manifest store into an asset. The library also returns the C2PA manifest store so that it can be written to a sidecar or uploaded to a remote service.
-- The API supports embedding a remote URL reference into the asset. 
+- The API supports embedding a remote URL reference into the asset.
 - The remote URL is stored in different ways depending on the asset, but is often stored in XMP data.
 - The remote URL must be added to the asset before signing so that it can be hashed along with the asset.
 - Not all file formats support embedding remote URLs or embedding manifests stores.

sdk/Cargo.toml

@@ -24,19 +24,7 @@ rust-version = "1.86.0"
 exclude = ["tests/fixtures"]
 
 [package.metadata.docs.rs]
-# Build with all features, but not with openssl and rust_native_crypto simulatenously.
-features = [
-    "openssl",
-    "add_thumbnails",
-    "file_io",
-    "serialize_thumbnails",
-    "no_interleaved_io",
-    "fetch_remote_manifests",
-    "json_schema",
-    "pdf",
-    "v1_api",
-    "diagnostics",
-]
+all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
@@ -203,10 +191,19 @@ sha2 = { version = "0.10.6", features = ["asm"] }
 [target.'cfg(not(target_arch = "aarch64"))'.dependencies]
 sha2 = "0.10.6"
 
+# This list matches the `rust_native_crypto` feature since they are not optional on WASM.
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 const-oid = "0.9.6"
 der = "0.7.9"
+ecdsa = { version = "0.16.9", features = ["digest", "sha2"] }
 num-bigint-dig = "0.8.4"
+p256 = "0.13.2"
+p384 = "0.13.0"
+p521 = { version = "0.13.3", features = [
+    "pkcs8",
+    "digest",
+    "ecdsa",
+] }
 pkcs1 = "0.7.5"
 rsa = { version = "0.9.6", features = ["sha2"] }
 spki = "0.7.3"
@@ -289,7 +286,7 @@ wasm-bindgen-test = "0.3.45"
 httpmock = "0.7.0"
 tokio = { version = "1.44.2", features = ["full"] }
 criterion = { package = "codspeed-criterion-compat", version = "3.0.5" }
-#
+
 # WASM/WASI doesn't support default criterion features.
 # https://github.com/bheisler/criterion.rs/blob/4c19e913b84e6a7e4a8470cb0f766796886ed891/book/src/user_guide/wasi.md
 [target.'cfg(target_arch = "wasm32")'.dev-dependencies]

sdk/src/crypto/cose/certificate_trust_policy.rs

@@ -141,7 +141,7 @@ impl CertificateTrustPolicy {
             return Ok(TrustAnchorType::EndEntity);
         }
 
-        #[cfg(feature = "rust_native_crypto")]
+        #[cfg(any(feature = "rust_native_crypto", target_arch = "wasm32"))]
         {
             return crate::crypto::raw_signature::rust_native::check_certificate_trust::check_certificate_trust(
                 self,
@@ -151,7 +151,10 @@ impl CertificateTrustPolicy {
             );
         }
 
-        #[cfg(feature = "openssl")]
+        #[cfg(all(
+            feature = "openssl",
+            not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+        ))]
         {
             return crate::crypto::raw_signature::openssl::check_certificate_trust::check_certificate_trust(
                 self,
@@ -214,7 +217,7 @@ impl CertificateTrustPolicy {
 
     /// Add user provided trust anchors that shall be accepted when verifying COSE signatures.
     /// These anchors are distinct from the C2PA trust anchors and are used to validate certificates
-    /// that are not part of the C2PA trust anchors.  
+    /// that are not part of the C2PA trust anchors.
     pub fn add_user_trust_anchors(
         &mut self,
         trust_anchor_pems: &[u8],
@@ -430,14 +433,20 @@ pub enum CertificateTrustError {
     InternalError(String),
 }
 
-#[cfg(feature = "openssl")]
+#[cfg(all(
+    feature = "openssl",
+    not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+))]
 impl From<openssl::error::ErrorStack> for CertificateTrustError {
     fn from(err: openssl::error::ErrorStack) -> Self {
         Self::CryptoLibraryError(err.to_string())
     }
 }
 
-#[cfg(feature = "openssl")]
+#[cfg(all(
+    feature = "openssl",
+    not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+))]
 impl From<crate::crypto::raw_signature::openssl::OpenSslMutexUnavailable>
     for CertificateTrustError
 {

sdk/src/crypto/raw_signature/mod.rs

@@ -15,10 +15,13 @@
 
 pub(crate) mod oids;
 
-#[cfg(feature = "openssl")]
+#[cfg(all(
+    feature = "openssl",
+    not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+))]
 pub(crate) mod openssl;
 
-#[cfg(feature = "rust_native_crypto")]
+#[cfg(any(feature = "rust_native_crypto", target_arch = "wasm32"))]
 pub(crate) mod rust_native;
 
 pub(crate) mod signer;

sdk/src/crypto/raw_signature/signer.rs

@@ -157,14 +157,20 @@ impl From<std::io::Error> for RawSignerError {
     }
 }
 
-#[cfg(feature = "openssl")]
+#[cfg(all(
+    feature = "openssl",
+    not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+))]
 impl From<openssl::error::ErrorStack> for RawSignerError {
     fn from(err: openssl::error::ErrorStack) -> Self {
         Self::CryptoLibraryError(err.to_string())
     }
 }
 
-#[cfg(feature = "openssl")]
+#[cfg(all(
+    feature = "openssl",
+    not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+))]
 impl From<crate::crypto::raw_signature::openssl::OpenSslMutexUnavailable> for RawSignerError {
     fn from(err: crate::crypto::raw_signature::openssl::OpenSslMutexUnavailable) -> Self {
         Self::InternalError(err.to_string())
@@ -187,7 +193,7 @@ pub fn signer_from_cert_chain_and_private_key(
     alg: SigningAlg,
     time_stamp_service_url: Option<String>,
 ) -> Result<Box<dyn RawSigner + Send + Sync>, RawSignerError> {
-    #[cfg(feature = "rust_native_crypto")]
+    #[cfg(any(feature = "rust_native_crypto", target_arch = "wasm32"))]
     {
         match crate::crypto::raw_signature::rust_native::signers::signer_from_cert_chain_and_private_key(
             cert_chain,
@@ -201,7 +207,10 @@ pub fn signer_from_cert_chain_and_private_key(
         }
     }
 
-    #[cfg(feature = "openssl")]
+    #[cfg(all(
+        feature = "openssl",
+        not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+    ))]
     {
         return crate::crypto::raw_signature::openssl::signers::signer_from_cert_chain_and_private_key(
             cert_chain,

sdk/src/crypto/raw_signature/tests/signers.rs

@@ -69,7 +69,10 @@ fn es384() {
 }
 
 #[test]
-#[cfg(feature = "openssl")]
+#[cfg(all(
+    feature = "openssl",
+    not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+))]
 fn es512() {
     let cert_chain = include_bytes!("../../../../tests/fixtures/crypto/raw_signature/es512.pub");
     let private_key = include_bytes!("../../../../tests/fixtures/crypto/raw_signature/es512.priv");

sdk/src/crypto/raw_signature/tests/validators.rs

@@ -241,7 +241,10 @@ const SHA384_OID: Oid = bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 10
 
 const SHA512_OID: Oid = bcder::Oid(OctetString::from_static(&[96, 134, 72, 1, 101, 3, 4, 2, 3]));
 
-#[cfg_attr(feature = "rust_native_crypto", allow(unused))]
+#[cfg_attr(
+    any(feature = "rust_native_crypto", target_arch = "wasm32"),
+    allow(unused)
+)]
 const SHA1_OID: Oid = bcder::Oid(OctetString::from_static(&[43, 14, 3, 2, 26]));
 
 #[test]
@@ -340,7 +343,10 @@ fn rs512() {
 }
 
 #[test]
-#[cfg(feature = "openssl")]
+#[cfg(all(
+    feature = "openssl",
+    not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+))]
 fn sha1() {
     let signature =
         include_bytes!("../../../../tests/fixtures/crypto/raw_signature/legacy/sha1.raw_sig");

sdk/src/crypto/raw_signature/validator.rs

@@ -65,7 +65,7 @@ pub trait AsyncRawSignatureValidator {
 /// Which validators are available may vary depending on the platform and
 /// which crate features were enabled.
 pub fn validator_for_signing_alg(alg: SigningAlg) -> Option<Box<dyn RawSignatureValidator>> {
-    #[cfg(feature = "rust_native_crypto")]
+    #[cfg(any(feature = "rust_native_crypto", target_arch = "wasm32"))]
     {
         if let Some(validator) =
             crate::crypto::raw_signature::rust_native::validators::validator_for_signing_alg(alg)
@@ -74,7 +74,10 @@ pub fn validator_for_signing_alg(alg: SigningAlg) -> Option<Box<dyn RawSignature
         }
     }
 
-    #[cfg(feature = "openssl")]
+    #[cfg(all(
+        feature = "openssl",
+        not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+    ))]
     if let Some(validator) =
         crate::crypto::raw_signature::openssl::validators::validator_for_signing_alg(alg)
     {
@@ -95,7 +98,7 @@ pub(crate) fn validator_for_sig_and_hash_algs(
     hash_alg: &Oid,
 ) -> Option<Box<dyn RawSignatureValidator>> {
     // TO REVIEW: Do we need any of the RSA-PSS algorithms for this use case?
-    #[cfg(feature = "rust_native_crypto")]
+    #[cfg(any(feature = "rust_native_crypto", target_arch = "wasm32"))]
     {
         if let Some(validator) =
             crate::crypto::raw_signature::rust_native::validators::validator_for_sig_and_hash_algs(
@@ -106,7 +109,10 @@ pub(crate) fn validator_for_sig_and_hash_algs(
         }
     }
 
-    #[cfg(feature = "openssl")]
+    #[cfg(all(
+        feature = "openssl",
+        not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+    ))]
     if let Some(validator) =
         crate::crypto::raw_signature::openssl::validators::validator_for_sig_and_hash_algs(
             sig_alg, hash_alg,
@@ -175,14 +181,20 @@ pub enum RawSignatureValidationError {
     InternalError(String),
 }
 
-#[cfg(feature = "openssl")]
+#[cfg(all(
+    feature = "openssl",
+    not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+))]
 impl From<openssl::error::ErrorStack> for RawSignatureValidationError {
     fn from(err: openssl::error::ErrorStack) -> Self {
         Self::CryptoLibraryError(err.to_string())
     }
 }
 
-#[cfg(feature = "openssl")]
+#[cfg(all(
+    feature = "openssl",
+    not(all(feature = "rust_native_crypto", target_arch = "wasm32"))
+))]
 impl From<crate::crypto::raw_signature::openssl::OpenSslMutexUnavailable>
     for RawSignatureValidationError
 {

sdk/src/lib.rs

@@ -203,11 +203,5 @@ pub(crate) mod store;
 pub(crate) mod utils;
 pub(crate) use utils::{cbor_types, hash_utils};
 
-#[cfg(all(feature = "openssl", feature = "rust_native_crypto"))]
-compile_error!("Features 'openssl' and 'rust_native_crypto' cannot be enabled at the same time.");
-
 #[cfg(not(any(feature = "openssl", feature = "rust_native_crypto")))]
 compile_error!("Either 'openssl' or 'rust_native_crypto' feature must be enabled.");
-
-#[cfg(all(feature = "openssl", target_arch = "wasm32"))]
-compile_error!("Feature 'openssl' is not available for wasm32.");