Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(tls): AWS Libcrypto Support #2008

Merged
merged 31 commits into from
Nov 6, 2024
Merged

feat(tls): AWS Libcrypto Support #2008

merged 31 commits into from
Nov 6, 2024

Conversation

jenr24-architect
Copy link
Contributor

@jenr24-architect jenr24-architect commented Oct 16, 2024
edited
Loading

Motivation

I want to use aws-lc-rs with tonic.

Solution

adds a feature flag tls-aws-lc in parallel to tls, removed tls feature flag dependency from tls-*-roots features

@jenr24-architect jenr24-architect changed the title AWS Libcrypto Support feat: AWS Libcrypto Support Oct 16, 2024
@jenr24-architect jenr24-architect changed the title feat: AWS Libcrypto Support feat(tls): AWS Libcrypto Support Oct 16, 2024
djc
djc reviewed Oct 16, 2024
View reviewed changes
tonic/Cargo.toml Outdated Show resolved Hide resolved
tonic/src/request.rs Outdated Show resolved Hide resolved
djc
djc approved these changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me, thanks! Need to address the CI failures.

tottoto
tottoto reviewed Oct 17, 2024
View reviewed changes
Copy link
Collaborator

@tottoto tottoto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I left some comments.

Could you update the documentation regarding the features.

tonic/Cargo.toml Outdated Show resolved Hide resolved
tonic/Cargo.toml Outdated Show resolved Hide resolved
tonic/Cargo.toml Outdated Show resolved Hide resolved
@LucioFranco
Copy link
Member

@jenr24-architect could you try to force push again to see if we can get CI to kick off again?

@jenr24-architect
Copy link
Contributor Author

@jenr24-architect could you try to force push again to see if we can get CI to kick off again?

Does it have to be a force push?? It doesn't look like my last push triggered it

tobz
tobz reviewed Oct 22, 2024
View reviewed changes
tonic/Cargo.toml
Comment on lines +36 to +37
tls-native-roots = ["_tls-any", "channel", "dep:rustls-native-certs"]
tls-webpki-roots = ["_tls-any","channel", "dep:webpki-roots"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just thinking out loud: it strikes me as unfortunate that this the implication here is that because you would only need to access the certificate trust store for doing client things, that we should also enable the channel feature, which is also necessary for client things.

Like in my mind, it would somehow be nicer if this was tls-client-native-roots, etc... to better indicate what the feature was affecting.

Anyways, just thinking out loud. None of this is blocking or needs a response. :)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a good idea. However, since the scope is different from this pull request, I think it would be good to discuss it in a separate pull request rather than changing them here.

tobz
tobz requested changes Oct 22, 2024
View reviewed changes
Copy link
Collaborator

@tobz tobz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this needs to be run through cargo fmt and there's the broken intra-doc link stuff to sort out.

tonic/src/lib.rs Outdated Show resolved Hide resolved
@tottoto
Copy link
Collaborator

tottoto commented Oct 23, 2024

With this change, users can enable both ring and aws-lc-rs, and when they enable both at the same time, users will need to specify which of these they want to use as the default provider. This setting was already an exposed dependency of rustls as an interface for setting the default provider for rustls, but this was not an issue until now as only ring was supported. I think it would be needed to wrap these configuration APIs in tonic so that users can set which crypto provider to use when both are enabled in order to allow us to use rustls as an internal dependency. It also seems necessary to state that setting the default provider using rustls directly is not intended to be stable for tonic.

@tottoto tottoto self-requested a review October 23, 2024 23:22
@jenr24-architect
Copy link
Contributor Author

With this change, users can enable both ring and aws-lc-rs, and when they enable both at the same time, users will need to specify which of these they want to use as the default provider. This setting was already an exposed dependency of rustls as an interface for setting the default provider for rustls, but this was not an issue until now as only ring was supported. I think it would be needed to wrap these configuration APIs in tonic so that users can set which crypto provider to use when both are enabled in order to allow us to use rustls as an internal dependency. It also seems necessary to state that setting the default provider using rustls directly is not intended to be stable for tonic.

I had thought about this -- I initially had written some code to add ClientTlsConfig::provider(provider: rustls::CryptoProvider) and ServerTlsConfig::provider(provider: rustls::CryptoProvider) so that I could write both a connect_handles_tls_ring and connect_handles_tls_aws_lc integration test, but the scope of that change started to get out of hand.

I would be willing to add that feature, in either this or a separate PR if we're interested in adding that functionality :)

LucioFranco
LucioFranco approved these changes Oct 25, 2024
View reviewed changes
tonic/Cargo.toml Outdated Show resolved Hide resolved
@jenr24-architect @LucioFranco
Update Cargo.toml
8daf349 
Co-authored-by: Lucio Franco <[email protected]>
@LucioFranco
Copy link
Member

@jenr24-architect looks like there are some more CI failures

tottoto
tottoto approved these changes Oct 25, 2024
View reviewed changes
Copy link
Collaborator

@tottoto tottoto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jenr24-architect

but the scope of that change started to get out of hand.

Makes sense to me. I suppose there are several possible ways to address this, so it seems reasonable to narrow the scope of this pull request.

@tottoto
Copy link
Collaborator

tottoto commented Oct 25, 2024

@LucioFranco The CI failure does not seem to be caused by this pull request's change. I opened #2021 to address it.

@jenr24-architect jenr24-architect mentioned this pull request Oct 29, 2024
Merged
@jenr24-architect
Copy link
Contributor Author

merged master after #2021 merged, this PR is ready for CI to re-run and to enter the merge queue

@tottoto tottoto added this pull request to the merge queue Nov 6, 2024
Merged via the queue into hyperium:master with commit b28b59b Nov 6, 2024
17 checks passed
@conradludgate conradludgate mentioned this pull request Nov 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

@tottoto tottoto tottoto approved these changes

@LucioFranco LucioFranco LucioFranco approved these changes

@tobz tobz Awaiting requested review from tobz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jenr24-architect @LucioFranco @tottoto @djc @tobz