c2pa-rs
c2pa-rs copied to clipboard
contentauth
Oxidize openssl
Changes in this pull request
In this PR is try to remove some of the the Openssl dependance and replace it with Ring and Rustls. The motivation was some conversations with E. Scouten and A. Parsons (and also simple curiosity).
The uprooting of Openssl is not complete : I focused on signing and verifying, but left out the specific topic of ocsp checks (except for the simple "chain order" ones).
Of note :
-
Rustls/Ring do not support signing/validating in all cases. As an example, you cannot verify RSA PSS with it: https://github.com/briansmith/ring/issues/1353, even if you can sign with it You can sign with it (https://github.com/briansmith/ring/issues/205). It can be a little bit confusing (https://github.com/briansmith/ring/issues/850).
-
I did not implement OCSP checks. it seemed there was Some Assembly Required (https://github.com/rustls/rustls/issues/31, https://github.com/briansmith/webpki/issues/26).
Nice side effect : no more algorithm specific (rsa/ec/ed) structs : only one rustls signer and one validator. I think this could in turn lead to some interesting refacto in the rest of the code, but left it at that for now. I put the changes behind a with_rustls feature flag (default is on).
All in all, this wants to show how oxidizing Openssl in c2pa could look like, and try to be a draft for such PRs : this is a demo PR that has not been extensively tested.
Checklist
- [] This PR represents a single feature, fix, or change.
- [x] All applicable changes have been documented.
- [x] Any
TO DOitems (or similar) have been entered as GitHub issues and the link to that issue has been included in a comment.
OCSP is about to be enabled so if you can find a solution for that it would be great. Also trust list support is also coming so if you have a way to validate a certificate chain against a set of trust anchors that would be good. Does this PR work with WASM?
Codecov Report
Merging #65 (af523a7) into main (a1e07b2) will decrease coverage by
0.51%. The diff coverage is67.60%.
:mega: This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more
@@ Coverage Diff @@
## main #65 +/- ##
==========================================
- Coverage 78.41% 77.90% -0.51%
==========================================
Files 69 75 +6
Lines 16885 17543 +658
==========================================
+ Hits 13240 13667 +427
- Misses 3645 3876 +231
| Impacted Files | Coverage Δ | |
|---|---|---|
| sdk/src/error.rs | 14.28% <ø> (ø) |
|
| sdk/src/lib.rs | 100.00% <ø> (ø) |
|
| sdk/src/openssl/ec_signer.rs | 86.61% <ø> (ø) |
|
| sdk/src/openssl/ec_validator.rs | 96.42% <ø> (ø) |
|
| sdk/src/openssl/mod.rs | 83.33% <ø> (ø) |
|
| sdk/src/rustls/signer.rs | 0.00% <0.00%> (ø) |
|
| sdk/src/validator.rs | 38.46% <33.33%> (-16.09%) |
:arrow_down: |
| sdk/src/rustls/temp_signer.rs | 52.41% <52.41%> (ø) |
|
| sdk/src/rustls/common.rs | 74.01% <74.01%> (ø) |
|
| sdk/src/salt.rs | 80.00% <80.00%> (-1.25%) |
:arrow_down: |
| ... and 9 more |
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
