biscuit-rust icon indicating copy to clipboard operation
biscuit-rust copied to clipboard
verified publisher icon biscuit-auth

Support FIPS with aws-lc-rs

Open skeggse opened this issue 1 month ago • 1 comments

The aws-lc-rs crate supports a fips feature flag that links the crate to a FIPS-validated crypto module. It'd be really helpful if biscuit-auth supported the use of modular cryptographic crates similar to how rustls supports multiple crypto backends!

Along these lines, it'd also be helpful to be able to enable/disable particular cryptographic algorithms using feature flags, to disconnect particular unused dependency crates. For example, if I only use ecdsa, I might want to exclude rsa as a dependency.

skeggse avatar Oct 31 '25 20:10 skeggse

Hi, that’d be useful to feature-gate crypto libraries.

One thing we would also like to do, and that would allow using arbitrary cryptographic implementations (including various KMSs or secure enclaves) is to provide a trait for signature creation and verification (that would be half of the solution because this trait would only work for well-known keys and not attenuation keys).

So yeah in any case, both approaches would be useful.

divarvel avatar Nov 03 '25 13:11 divarvel