rustls icon indicating copy to clipboard operation
rustls copied to clipboard

Published 20 hours ago verified publisher icon rustls

Poll-based encrypt/decrypt/sign API support in asynchronous and synchronous call

Open taikulawo opened this issue 1 year ago • 8 comments

Checklist

  • [x] I've searched the issue tracker for similar requests https://github.com/rustls/rustls/issues/850#issuecomment-1544457213 https://github.com/rustls/rustls/issues/341 https://github.com/rustls/rustls/pull/1648 https://github.com/rustls/rustls/issues/1808 Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like https://docs.rs/rustls/latest/rustls/crypto/cipher/trait.MessageDecrypter.html

convert crypto api to poll based

from

pub trait MessageDecrypter: Send + Sync {
    /// Decrypt the given TLS message `msg`, using the sequence number
    /// `seq` which can be used to derive a unique [`Nonce`].
    fn decrypt<'a>(
        &mut self,
        msg: InboundOpaqueMessage<'a>,
        seq: u64,
    ) -> Result<InboundPlainMessage<'a>, Error>;
}

to

pub trait MessageDecrypter: Send + Sync {
    /// Decrypt the given TLS message `msg`, using the sequence number
    /// `seq` which can be used to derive a unique [`Nonce`].
    fn decrypt<'a>(
        &mut self,
        cx: &mut Context<'a>,
        msg: InboundOpaqueMessage<'a>,
        seq: u64,
    ) -> Result<InboundPlainMessage<'a>, Error>;
}

so that we can call tokio#poll_read to make encrypt/decrypt async

every encrypt/decrypt should call through trait, so we can hack it

Additional context rustls only support poll method. user decide whether sync or async. If sync, just do and return Poll::Ready

taikulawo avatar May 31 '24 03:05 taikulawo

I think It's exceedingly unlikely we'll do this. decrypt (and encrypt) are computation-bound and relatively small computations at that, and not IO-bound. What is your use case?

ctz avatar May 31 '24 09:05 ctz

Have you looked at tokio-rustls and the unbuffered API?

djc avatar May 31 '24 09:05 djc

I think It's exceedingly unlikely we'll do this. decrypt (and encrypt) are computation-bound and relatively small computations at that, and not IO-bound. What is your use case?

I want to hook asymmetric cryptography sign and encrypt/decrypt phase, send material to hardware cluster over internet then computed and send back.

It like cloudflare keyless using intel QAT over internet, so rustls encrypt/decrypt must async

taikulawo avatar May 31 '24 09:05 taikulawo

Have you looked at tokio-rustls and the unbuffered API?

I see. I can parse record to extract key material and compute on my hardware cluster through internet. I will do asymmetric cryptography, but I can't let rustls skip from handshake phase to application data phase (symmetric cryptography)

taikulawo avatar May 31 '24 10:05 taikulawo

It like cloudflare keyless

I think this is already covered in #850 ("asynchronous handshake authentication signature" cases)

ctz avatar May 31 '24 10:05 ctz

It like cloudflare keyless

I think this is already covered in #850 ("asynchronous handshake authentication signature" cases)

yes, partially.

Does there have async version MessageDecrypter and MessageEncrypter

taikulawo avatar May 31 '24 16:05 taikulawo

We have deeply demands on asynchronous crypto feature to offload asymmetric key exchange to hardware accelerator. so I would like to see this feature shipped into rustls.

Which asynchronous pattern you would like to accepted? poll-based, future, async fn in trait or others. Or what async design you want to see in rustls?

I will submit a PR. @djc @ctz

taikulawo avatar Jun 05 '24 11:06 taikulawo

we also need it. asynchornous tls sign

fangkaiwodexigua avatar Jul 03 '24 09:07 fangkaiwodexigua