Pluggable Crypto #585
Pluggable Crypto #585
Conversation
tustvold
force-pushed
the
pluggable-crypto
branch
from
fcc494a to
6533616
Compare
tustvold
left a comment
tustvold
left a comment
There was a problem hiding this comment.
One aspect that is potentially worth highlighting is that it if skip_signature is false, it should be possible to instantiate without a crypto provider.
The downside is that the absence is not necessarily detected until request time, I debated including a check in build, but in many cases it isn't always immediately obvious what crypto provision is necessary.
| default = ["fs"] | ||
| cloud = ["serde", "serde_json", "quick-xml", "hyper", "reqwest", "reqwest/stream", "chrono/serde", "base64", "rand", "ring", "http-body-util", "form_urlencoded", "serde_urlencoded"] | ||
| azure = ["cloud", "httparse"] | ||
| cloud-no-crypto = ["serde", "serde_json", "quick-xml", "hyper", "reqwest", "reqwest/stream", "chrono/serde", "base64", "rand","http-body-util", "form_urlencoded", "serde_urlencoded"] |
There was a problem hiding this comment.
I'm not a massive fan of the feature explosion, but this was the only way to avoid needing to cut a breaking release.
| fn sign(&self, algorithm: SigningAlgorithm, pem: &[u8]) -> Result<Box<dyn Signer>>; | ||
| } | ||
|
|
||
| /// Incrementally compute a digest, see [`CryptoProvider::digest`] |
There was a problem hiding this comment.
I opted to allow for incremental computation to somewhat future-proof this API
| ///Updates the digest with all the data in data. | ||
| /// | ||
| /// It is implementation-defined behaviour to call this after calling [`Self::finish`] | ||
| fn update(&mut self, data: &[u8]); |
There was a problem hiding this comment.
I debated making this method fallible, but decided any error can be returned by finish
| /// If `custom` is `Some(v)` returns `v` otherwise returns the compile-time default | ||
| #[cfg(feature = "ring")] | ||
| #[inline] | ||
| pub(crate) fn crypto_provider(custom: Option<&dyn CryptoProvider>) -> Result<&dyn CryptoProvider> { |
There was a problem hiding this comment.
This formulation is a bit funky, but was the best I could come up with that would:
- Avoid needing breaking changes to AwsAuthorizer and AzureAuthorizer
- Allow not specifying a crypto provider if skip_signature is enabled
| Err(source) => Err(Error::ReadPem { source }), | ||
| } | ||
| #[cfg(feature = "ring")] | ||
| pub fn from_pem(encoded: &[u8]) -> crate::Result<Self> { |
There was a problem hiding this comment.
This is technically a breaking change, however, the previous error type was not public and therefore there wasn't any way to actually name it. I think we can therefore get away with this change
|
TBC this will need a LOT more testing before I'd feel comfortable merging it, it might be safest to leave for a breaking release just because of the heightened risk of breakage... |
| /// Finalizes the digest calculation and returns the digest value. | ||
| /// | ||
| /// It is implementation-defined behaviour to call this after calling [`Self::finish`] | ||
| fn finish(&mut self) -> Result<&[u8]>; |
There was a problem hiding this comment.
I included the fallibility because of openssl - but I'm not sure if any of those errors are actually worth propagating, or if they would imply incorrect usage of openssl...
1 participant
Creating as a draft to get feedback, still needs more polish / testing
Which issue does this PR close?
Closes #462 #576 #413.
Rationale for this change
Adds the ability to compile object_store without a dependency on ring, and instead use a user-provided crypto implementation.
What changes are included in this PR?
Are there any user-facing changes?