pub struct CryptoProvider {
pub cipher_suites: Vec<SupportedCipherSuite>,
pub kx_groups: Vec<&'static dyn SupportedKxGroup>,
pub signature_verification_algorithms: WebPkiSupportedAlgorithms,
pub secure_random: &'static dyn SecureRandom,
pub key_provider: &'static dyn KeyProvider,
}
Expand description
Controls core cryptography used by rustls.
This crate comes with two built-in options, provided as
CryptoProvider
structures:
crypto::ring::default_provider
: (behind thering
crate feature, which is enabled by default). This provider uses the ring crate.- [
crypto::aws_lc_rs::default_provider
]: (behind theaws_lc_rs
feature, which is optional). This provider uses the aws-lc-rs crate.
This structure provides defaults. Everything in it can be overridden at runtime by replacing field values as needed.
§Using a specific CryptoProvider
Supply the provider when constructing your ClientConfig
or ServerConfig
:
When creating and configuring a webpki-backed client or server certificate verifier, a choice of provider is also needed to start the configuration process:
client::WebPkiServerVerifier::builder_with_provider()
server::WebPkiClientVerifier::builder_with_provider()
§Making a custom CryptoProvider
Your goal will be to populate a crypto::CryptoProvider
struct instance.
§Which elements are required?
There is no requirement that the individual elements (SupportedCipherSuite
, SupportedKxGroup
,
SigningKey
, etc.) come from the same crate. It is allowed and expected that uninteresting
elements would be delegated back to one of the default providers (statically) or a parent
provider (dynamically).
For example, if we want to make a provider that just overrides key loading in the config builder
API (ConfigBuilder::with_single_cert
etc.), it might look like this:
use rustls::crypto::ring;
pub fn provider() -> rustls::crypto::CryptoProvider {
rustls::crypto::CryptoProvider{
key_provider: &HsmKeyLoader,
..ring::default_provider()
}
}
#[derive(Debug)]
struct HsmKeyLoader;
impl rustls::crypto::KeyProvider for HsmKeyLoader {
fn load_private_key(&self, key_der: pki_types::PrivateKeyDer<'static>) -> Result<Arc<dyn rustls::sign::SigningKey>, rustls::Error> {
fictious_hsm_api::load_private_key(key_der)
}
}
§References to the individual elements
The elements are documented separately:
- Random - see
crypto::SecureRandom::fill()
. - Cipher suites - see
SupportedCipherSuite
,Tls12CipherSuite
, andTls13CipherSuite
. - Key exchange groups - see
crypto::SupportedKxGroup
. - Signature verification algorithms - see
crypto::WebPkiSupportedAlgorithms
. - Authentication key loading - see
crypto::KeyProvider::load_private_key()
andsign::SigningKey
.
§Example code
See provider-example/ for a full client and server example that uses cryptography from the rust-crypto and dalek-cryptography projects.
$ cargo run --example client | head -3
Current ciphersuite: TLS13_CHACHA20_POLY1305_SHA256
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 19899
Fields§
§cipher_suites: Vec<SupportedCipherSuite>
List of supported ciphersuites, in preference order – the first element is the highest priority.
The SupportedCipherSuite
type carries both configuration and implementation.
kx_groups: Vec<&'static dyn SupportedKxGroup>
List of supported key exchange groups, in preference order – the first element is the highest priority.
The first element in this list is the default key share algorithm, and in TLS1.3 a key share for it is sent in the client hello.
The SupportedKxGroup
type carries both configuration and implementation.
signature_verification_algorithms: WebPkiSupportedAlgorithms
List of signature verification algorithms for use with webpki.
These are used for both certificate chain verification and handshake signature verification.
This is called by ConfigBuilder::with_root_certificates()
,
server::WebPkiClientVerifier::builder_with_provider()
and
client::WebPkiServerVerifier::builder_with_provider()
.
secure_random: &'static dyn SecureRandom
Source of cryptographically secure random numbers.
key_provider: &'static dyn KeyProvider
Provider for loading private SigningKeys from PrivateKeyDer.
Trait Implementations§
source§impl Clone for CryptoProvider
impl Clone for CryptoProvider
source§fn clone(&self) -> CryptoProvider
fn clone(&self) -> CryptoProvider
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read moreAuto Trait Implementations§
impl Freeze for CryptoProvider
impl !RefUnwindSafe for CryptoProvider
impl Send for CryptoProvider
impl Sync for CryptoProvider
impl Unpin for CryptoProvider
impl !UnwindSafe for CryptoProvider
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
source§unsafe fn clone_to_uninit(&self, dst: *mut T)
unsafe fn clone_to_uninit(&self, dst: *mut T)
clone_to_uninit
)