feat: Modular crypto

[richarddavison]

Issue # (if available)

Description of changes

Refactor crypto and HTTP modules to support multiple TLS backends
This makes it easier to choose different Crypto & TLS implementations depending on deployment needs.

Checklist

• Created unit tests in tests/unit and/or in Rust for my feature if needed
• Ran make fix to format JS and apply Clippy auto fixes
• Made sure my code didn't add any additional warnings: make check
• Added relevant type info in types/ directory
• Updated documentation if needed (API.md/README.md/Other)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[nabetti1720]

While the default provider for crypto is a Pure-Rust implementation that excludes ring, tls defaults to ring. What about the idea of ​​defaulting to a Pure-Rust implementation that supports the major cipher suites?

https://github.com/RustCrypto/rustls-rustcrypto

EDIT: Until the official support is released, we will create an experimental branch that supports the new rc crates.
https://github.com/nabetti1720/rustls-rustcrypto/tree/next

% make check
cargo clippy --all-targets --all-features -- -D warnings
    Checking rustls-rustcrypto v0.0.2-alpha (/Users/shinya/Workspaces/rustls-rustcrypto)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.15s

% make build
cargo +nightly build -r --target aarch64-apple-darwin
   Compiling rustls-rustcrypto v0.0.2-alpha (/Users/shinya/Workspaces/rustls-rustcrypto)
    Finished `release` profile [optimized] target(s) in 3.88s

[richarddavison]

@nabetti1720 I think the reason is that this is pretty much unmaintained:
https://github.com/RustCrypto/rustls-rustcrypto. Last commit was 2 years ago

[nabetti1720]

@richarddavison Yes, so I am submitting a PR to update to the latest rustcrypto.
RustCrypto/rustls-rustcrypto#102

To fix the issue, explicitly define minimal permissions for the workflow so the GITHUB_TOKEN is limited to what the job actually needs. In this case, the steps only need to read repository contents (for actions/checkout) and then run local build/test commands, so contents: read is sufficient.

The best way to do this without changing existing functionality is to add a root-level permissions block near the top of .github/workflows/build-modules.yml, applying to all jobs in the workflow. Concretely, insert:

permissions:
  contents: read

between the name: line and the on: section. No other changes (jobs, steps, or additional permissions) are required, since none of the steps perform write operations to GitHub resources. This preserves current behavior while constraining the token.

[nabetti1720]

Is there any point in providing partially supported features like crypto-ring or crypto-graviola?
By doing the following, it will be easier for users to choose a backend, and implementers will be able to optimize their internal implementations depending on the supported cipher suites of ring and glaviora without affecting users.

Feature	Description
crypto-rust (default)	Pure Rust crypto using RustCrypto crates
crypto-ring	Ring for hashing/HMAC, RustCrypto for everything else
crypto-graviola	Graviola for hashing/HMAC/AES-GCM, RustCrypto for everything else
crypto-openssl	OpenSSL-based crypto

EDIT: If we want to follow the tls concept, we may want to support crypto-aws-lc.

[Sytten]

Almost there

[Sytten]

You dont need to add a vendored feature everywhere.
Usually libraries will not even provide that feature, the user of the library just has to enable it on their on in their Cargo.tom by adding openssl as a dep and enabling the feature.
For you this would mean removing all the openssl-vendored features in all module crates and just adding it to the llrt/Cargo.toml. As long as it is enabled once, it is enabled everywhere since features are cumulative in rust and -sys crates can only appear one time in the build (cant have two version of the crate)

[Sytten]

This comment is unclear is you mean the _rustcrypto or the _subtlefull

[Sytten]

I would also move that code in a different file, it makes reading this top mod hard

[Sytten]

Same idea here. For clarify I would do the following file structure:

subtle
 |-> import_key
         |-> mod.rs (export based on feature)
         |-> full.rs
         |-> stub.rs

Then later we can even create a more targeted feature only key import, key export, etc.
Also reading the code lightly I dont see dep in the import_key

[Sytten]

Same idea here, you also dont need the ?

[Sytten]

You dont need the ? since the dep is requested just before it

[Sytten]

Unsure if you really need the include now?

[Sytten]

I would replace that with

      crypto:
        required: false
        type: string
        default: "ring"

[Sytten]

Then add here:

      - name: Map crypto feature to TLS and crypto features
        id: features
        shell: bash
        run: |
          case "${{ inputs.crypto }}" in
            graviola)
              echo "tls_feature=tls-graviola" >> $GITHUB_OUTPUT
              echo "crypto_feature=crypto-graviola" >> $GITHUB_OUTPUT
              ;;
            ring)
              echo "tls_feature=tls-ring" >> $GITHUB_OUTPUT
              echo "crypto_feature=crypto-ring" >> $GITHUB_OUTPUT
              ;;
            openssl)
              echo "tls_feature=tls-openssl" >> $GITHUB_OUTPUT
              echo "crypto_feature=crypto-openssl" >> $GITHUB_OUTPUT
              ;;
            aws-lc)
              echo "tls_feature=tls-aws-lc" >> $GITHUB_OUTPUT
              echo "crypto_feature=crypto-ring" >> $GITHUB_OUTPUT
              ;;
            *)
              echo "Unknown crypto feature: ${{ inputs.crypto }}"
              exit 1
              ;;
          esac

You can add other cases if you want to mix and match

[Sytten]

Then replace the following with

      - name: Run build crates
        shell: bash
        env:
          RUSTFLAGS: ""
          TLS_FEATURE: ${{ steps.features.outputs.tls_feature }}
          CRYPTO_FEATURE: ${{ steps.features.outputs.crypto_feature }}
        run: |
          crates=$(cargo metadata --no-deps --format-version 1 --quiet | jq -r '.packages[] | select(.manifest_path | contains("modules/")) | .name')
          for crate in $crates; do
            echo "Compiling crate: $crate"
            # Use TLS feature for crates that need TLS, with --no-default-features to avoid conflicts
            if [ "$crate" = "llrt_fetch" ] || [ "$crate" = "llrt_http" ]; then
              cargo build -p "$crate" --no-default-features --features "http1,http2,webpki-roots,compression-rust,$TLS_FEATURE"
            elif [ "$crate" = "llrt_crypto" ]; then
              cargo build -p "$crate" --no-default-features --features "$CRYPTO_FEATURE"
            else
              cargo build -p "$crate"
            fi
          done
      - name: Run build all
        env:
          TLS_FEATURE: ${{ steps.features.outputs.tls_feature }}
          CRYPTO_FEATURE: ${{ steps.features.outputs.crypto_feature }}
        run: |
          cargo build -p llrt_modules --no-default-features --features "base,$TLS_FEATURE,$CRYPTO_FEATURE"
      - name: Run tests all
        env:
          TLS_FEATURE: ${{ steps.features.outputs.tls_feature }}
          CRYPTO_FEATURE: ${{ steps.features.outputs.crypto_feature }}
        run: |
          cargo test -p llrt_modules --no-default-features --features "base,$TLS_FEATURE,$CRYPTO_FEATURE"

[Sytten]

Missing a tls-openssl, you can use the rustls-openssl crate for that

[Sytten]

This is not ideal since it will keep the whole data in memory until digest.
hmac and hash are streaming encoding so you only keep buffer the size of the output + one block.
I think you can use the trick <crate::provider::DefaultProvider as CryptoProvider>::Hashmac.
Otherwise I would box the trait like Box<dyn HmacProvider>, the indirection is worth the space save.

[Sytten]

Same here