rustls::crypto

Struct CryptoProvider

source
pub struct CryptoProvider {
    pub cipher_suites: Vec<SupportedCipherSuite>,
    pub kx_groups: Vec<&'static dyn SupportedKxGroup>,
    pub signature_verification_algorithms: WebPkiSupportedAlgorithms,
    pub secure_random: &'static dyn SecureRandom,
    pub key_provider: &'static dyn KeyProvider,
}
Expand description

Controls core cryptography used by rustls.

This crate comes with two built-in options, provided as CryptoProvider structures:

  • crypto::ring::default_provider: (behind the ring crate feature, which is enabled by default). This provider uses the ring crate.
  • [crypto::aws_lc_rs::default_provider]: (behind the aws_lc_rs feature, which is optional). This provider uses the aws-lc-rs crate.

This structure provides defaults. Everything in it can be overridden at runtime by replacing field values as needed.

§Using a specific CryptoProvider

Supply the provider when constructing your ClientConfig or ServerConfig:

When creating and configuring a webpki-backed client or server certificate verifier, a choice of provider is also needed to start the configuration process:

§Making a custom CryptoProvider

Your goal will be to populate a crypto::CryptoProvider struct instance.

§Which elements are required?

There is no requirement that the individual elements (SupportedCipherSuite, SupportedKxGroup, SigningKey, etc.) come from the same crate. It is allowed and expected that uninteresting elements would be delegated back to one of the default providers (statically) or a parent provider (dynamically).

For example, if we want to make a provider that just overrides key loading in the config builder API (ConfigBuilder::with_single_cert etc.), it might look like this:

use rustls::crypto::ring;

pub fn provider() -> rustls::crypto::CryptoProvider {
  rustls::crypto::CryptoProvider{
    key_provider: &HsmKeyLoader,
    ..ring::default_provider()
  }
}

#[derive(Debug)]
struct HsmKeyLoader;

impl rustls::crypto::KeyProvider for HsmKeyLoader {
    fn load_private_key(&self, key_der: pki_types::PrivateKeyDer<'static>) -> Result<Arc<dyn rustls::sign::SigningKey>, rustls::Error> {
         fictious_hsm_api::load_private_key(key_der)
    }
}

§References to the individual elements

The elements are documented separately:

§Example code

See provider-example/ for a full client and server example that uses cryptography from the rust-crypto and dalek-cryptography projects.

$ cargo run --example client | head -3
Current ciphersuite: TLS13_CHACHA20_POLY1305_SHA256
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 19899

Fields§

§cipher_suites: Vec<SupportedCipherSuite>

List of supported ciphersuites, in preference order – the first element is the highest priority.

The SupportedCipherSuite type carries both configuration and implementation.

§kx_groups: Vec<&'static dyn SupportedKxGroup>

List of supported key exchange groups, in preference order – the first element is the highest priority.

The first element in this list is the default key share algorithm, and in TLS1.3 a key share for it is sent in the client hello.

The SupportedKxGroup type carries both configuration and implementation.

§signature_verification_algorithms: WebPkiSupportedAlgorithms

List of signature verification algorithms for use with webpki.

These are used for both certificate chain verification and handshake signature verification.

This is called by ConfigBuilder::with_root_certificates(), server::WebPkiClientVerifier::builder_with_provider() and client::WebPkiServerVerifier::builder_with_provider().

§secure_random: &'static dyn SecureRandom

Source of cryptographically secure random numbers.

§key_provider: &'static dyn KeyProvider

Provider for loading private SigningKeys from PrivateKeyDer.

Trait Implementations§

source§

impl Clone for CryptoProvider

source§

fn clone(&self) -> CryptoProvider

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for CryptoProvider

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> CloneToUninit for T
where T: Clone,

source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

source§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

source§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.