jsonwebtoken icon indicating copy to clipboard operation
jsonwebtoken copied to clipboard
verified publisher icon Keats

remove ring

Open itanxiao opened this issue 2 years ago • 15 comments

itanxiao avatar Jun 19 '23 05:06 itanxiao

Can you add a CI setup for it?

Keats avatar Jun 19 '23 15:06 Keats

@chenzhenjia Are you still working on that? If not I would like to take over

myFavShrimp avatar Sep 04 '23 15:09 myFavShrimp

@chenzhenjia你还在做这方面的工作吗?如果没有我想接手

I don't have time right now, if you have time you can take over

itanxiao avatar Sep 06 '23 08:09 itanxiao

I also need this. @Keats do you have an example of a CI setup? I can take a stab if I have something to work off of

ash-burnt avatar Sep 28 '23 22:09 ash-burnt

I don't have an example, but it should not be too hard to find one looking at Rust projects with wasm support

Keats avatar Sep 29 '23 10:09 Keats

I added one in https://github.com/Keats/jsonwebtoken/pull/345.

I'm now wondering if we should just ditch ring vs using the pure rust sha/rsa etc crates entirely?

Keats avatar Nov 07 '23 11:11 Keats

If someone can try a PR that removes ring, that'd be great. I'll do it otherwise but no idea on when

Keats avatar Nov 09 '23 21:11 Keats

@Keats The ring has been completely removed

itanxiao avatar Mar 15 '24 05:03 itanxiao

@Keats All steps of ci have been successful

itanxiao avatar Mar 17 '24 08:03 itanxiao

Running cargo test --examples fails with the following error message (kept only last most useful lines)

...
     Running unittests examples/ed25519.rs (target/debug/examples/ed25519-dcfabe976d67ec15)

running 1 test
test tests::test ... FAILED

failures:

---- tests::test stdout ----
thread 'tests::test' panicked at examples/ed25519.rs:65:18:
called `Result::unwrap()` on an `Err` value: Error(InvalidEddsaKey)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


failures:
    tests::test

test result: FAILED. 0 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

error: test failed, to rerun pass `--example ed25519`

It is a result of this example expecting method DecodingKey::from_ed_der to expect actually DER encoded public key, while this method currently expects raw 32 bytes public key (see issue #362). It means that at least this PR keeps the old behavior in this situation (if supplying raw correct public key still works as it did, with no new bugs, because I didn't test this part).

tokarevart avatar Apr 04 '24 20:04 tokarevart

Running cargo test --examples fails with the following error message (kept only last most useful lines)

...
     Running unittests examples/ed25519.rs (target/debug/examples/ed25519-dcfabe976d67ec15)

running 1 test
test tests::test ... FAILED

failures:

---- tests::test stdout ----
thread 'tests::test' panicked at examples/ed25519.rs:65:18:
called `Result::unwrap()` on an `Err` value: Error(InvalidEddsaKey)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


failures:
    tests::test

test result: FAILED. 0 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

error: test failed, to rerun pass `--example ed25519`

It is a result of this example expecting method DecodingKey::from_ed_der to expect actually DER encoded public key, while this method currently expects raw 32 bytes public key (see issue #362). It means that at least this PR keeps the old behavior in this situation (if supplying raw correct public key still works as it did, with no new bugs, because I didn't test this part).

fixed

itanxiao avatar Apr 06 '24 12:04 itanxiao

@Keats hi.Any questions about the pull request?

itanxiao avatar May 23 '24 02:05 itanxiao

So there is another PR replacing ring: https://github.com/Keats/jsonwebtoken/pull/377

I'm not sure what to do tbh, I don't want multiple backends and I don't think the rust crypto crates are FIPS certified right?

Keats avatar May 24 '24 13:05 Keats

So there is another PR replacing ring: #377

I'm not sure what to do tbh, I don't want multiple backends and I don't think the rust crypto crates are FIPS certified right?

  1. Both password and hash functionalities are developed entirely in Rust, without needing C compilation, thus speeding up the compilation process.
  2. The compiled output will be smaller.
  3. More CPU architectures will be supported (ring does not support HarmonyOS, and aws-lc-rs support is uncertain).

Although these libraries are not FIPS certified, their security should not be an issue.

itanxiao avatar Jun 05 '24 05:06 itanxiao

No I completely understand the benefits. It's just that not being FIPS certified means some people can't use the crate at all. On my end I do prefer this PR, maybe I should ask on /r/rust what people think.

Keats avatar Jun 05 '24 13:06 Keats

I'm not sure what to do tbh, I don't want multiple backends and I don't think the rust crypto crates are FIPS certified right?

What is the rationale for not supporting multiple backends? Other crates, such as rustls, accommodate multiple cryptography providers via features like aws-lc-rs (with optional FIPS support via the fips feature) and ring. I do understand maintaining support for multiple backends does add to the maintenance burden of this crate, however the flexibility it offers can be beneficial for consuming crates. For instance, if an application is entirely ring based, switching this crate to only support aws-lc-rs could force consumers to ship their binaries with two cryptographic implementations, increasing image size, etc.

birkmose avatar Jul 25 '24 21:07 birkmose

See https://github.com/Keats/jsonwebtoken/issues/399

If someone wants to do a PR having both, sure

Keats avatar Jul 25 '24 22:07 Keats

I understand. If aws-lc-rs is the only supported crypto provider, could an option to opt out of FIPS support perhaps be provided if it is not needed by the consumer? This would help avoid additional build dependencies like Perl and Go.

birkmose avatar Jul 25 '24 22:07 birkmose