Add RustCrypto backend for MUSL/Docker compatibility #73
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Add RustCrypto backend for MUSL/Docker compatibility Implement a pure-Rust cryptographic backend using the RustCrypto ecosystem to enable deployment in MUSL/Docker environments without OpenSSL dependencies. This change adds a new 'backend-rustcrypto' feature flag that provides a fully-functional alternative to the existing OpenSSL backend. The new backend uses p256 for elliptic curve operations, aes-gcm for encryption, and other RustCrypto crates for cryptographic primitives. Key changes: - Add RustCryptoCryptographer implementing the Cryptographer trait - Add backend-rustcrypto feature with pure-Rust dependencies - Implement full interoperability between OpenSSL and RustCrypto backends - Add comprehensive test suite including cross-backend interop tests - Update documentation with usage examples for both backends All RFC 8291 test vectors pass with both backends. The implementation is backward compatible with no breaking changes to the existing API. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Make tests backend-agnostic and simplify interop tests - Remove backend-openssl gates from aes128gcm_tests module - Make all RFC test vectors run with both OpenSSL and RustCrypto - Simplify interop tests to single minimal test - Fix backend-specific error matching in truncated_auth_secret test Test coverage: - RustCrypto: 23 tests (up from 11) - OpenSSL: 29 tests (unchanged) - Both: 30 tests (includes interop) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix clippy warnings and apply rustfmt - Add module-level #![allow] attributes for deprecated and dead_code - Remove AES_GCM_NONCE_LENGTH constant, use literal value - Remove inline allow attributes (now at module level) - Clean up comments for deprecated API usage All clippy checks pass with -D warnings. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Improve allow attributes with better documentation Replace blanket #![allow(dead_code)] with targeted #[allow(dead_code)] on specific types and impl blocks. Add clear comments explaining: - deprecated: Due to generic-array < 1.0 in aes-gcm 0.10 (stable). Will be resolved when aes-gcm 0.11 is released. - dead_code: Types appear unused when both backends are enabled because OpenSSL takes precedence, but they're required by the Cryptographer trait implementation and used in tests. This makes the allow attributes more maintainable and documents why they exist. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a pure-Rust cryptography backend using RustCrypto crates (p256, aes-gcm, hkdf) as an alternative to OpenSSL. This enables deployment in MUSL-based environments (Alpine Linux, static binaries) without C dependencies.
Changes:
backend-rustcryptofeature flagCryptographertrait implementation insrc/crypto/rustcrypto.rsUsage:
No breaking changes - OpenSSL remains the default backend.