BoringSSL compatibility

contentauth · Nov 29, 2024 · 5e055ce · 5e055ce
1 parent 042fd67
commit 5e055ce
Show file tree

Hide file tree

Showing 20 changed files with 44 additions and 4 deletions.
diff --git a/internal/crypto/Cargo.toml b/internal/crypto/Cargo.toml
@@ -28,6 +28,7 @@ rustdoc-args = ["--cfg", "docsrs"]
 [features]
 json_schema = ["dep:schemars"]
 openssl = ["dep:openssl", "_anyssl"]
+boringssl = ["dep:boring", "_anyssl"]
 
 # Internal-only. Use the `openssl` feature to enable it.
 _anyssl = []
@@ -48,6 +49,7 @@ x509-certificate = "0.21.0"
 x509-parser = "0.16.0"
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
+boring = { version = "4.13", optional = true }
 openssl = { version = "0.10.61", features = ["vendored"], optional = true }
 ureq = "2.4.0"
 url = "2.5.3"

diff --git a/internal/crypto/src/lib.rs b/internal/crypto/src/lib.rs
@@ -29,6 +29,9 @@ pub mod ocsp;
 #[cfg(all(feature = "_anyssl", target_arch = "wasm32"))]
 compile_error!("OpenSSL feature is not compatible with WASM platform");
 
+#[cfg(all(feature = "boringssl", feature = "openssl"))]
+compile_error!("BoringSSL and OpenSSL can't be both enabled at the same time");
+
 #[cfg(feature = "_anyssl")]
 pub mod openssl;
 

diff --git a/internal/crypto/src/openssl/validators/ecdsa_validator.rs b/internal/crypto/src/openssl/validators/ecdsa_validator.rs
@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use openssl::{
     bn::BigNum, ec::EcKey, ecdsa::EcdsaSig, hash::MessageDigest, pkey::PKey, sign::Verifier,
 };

diff --git a/internal/crypto/src/openssl/validators/ed25519_validator.rs b/internal/crypto/src/openssl/validators/ed25519_validator.rs
@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use openssl::{pkey::PKey, sign::Verifier};
 
 use crate::{

diff --git a/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs b/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs
@@ -13,6 +13,8 @@
 
 #![allow(missing_docs)] // REMOVE once this becomes `pub(crate)`
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use openssl::{hash::MessageDigest, pkey::PKey, rsa::Rsa, sign::Verifier};
 
 use crate::{

diff --git a/internal/crypto/src/openssl/validators/rsa_validator.rs b/internal/crypto/src/openssl/validators/rsa_validator.rs
@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use openssl::{
     hash::MessageDigest,
     pkey::PKey,

diff --git a/internal/crypto/src/raw_signature/validator.rs b/internal/crypto/src/raw_signature/validator.rs
@@ -12,6 +12,8 @@
 // each license.
 
 use bcder::Oid;
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use thiserror::Error;
 
 use super::oids::*;

diff --git a/internal/crypto/src/tests/openssl/validators/ecdsa_validator.rs b/internal/crypto/src/tests/openssl/validators/ecdsa_validator.rs
@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use openssl::x509::X509;
 
 use crate::{

diff --git a/internal/crypto/src/tests/openssl/validators/ed25519_validator.rs b/internal/crypto/src/tests/openssl/validators/ed25519_validator.rs
@@ -11,6 +11,9 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
+
 use crate::{
     openssl::validators::Ed25519Validator,
     raw_signature::{RawSignatureValidationError, RawSignatureValidator},

diff --git a/internal/crypto/src/tests/openssl/validators/rsa_legacy_validator.rs b/internal/crypto/src/tests/openssl/validators/rsa_legacy_validator.rs
@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use openssl::x509::X509;
 
 use crate::{

diff --git a/internal/crypto/src/tests/openssl/validators/rsa_validator.rs b/internal/crypto/src/tests/openssl/validators/rsa_validator.rs
@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use openssl::x509::X509;
 
 use crate::{

diff --git a/sdk/Cargo.toml b/sdk/Cargo.toml
@@ -35,6 +35,8 @@ no_interleaved_io = ["file_io"]
 fetch_remote_manifests = []
 openssl = ["dep:openssl", "c2pa-crypto/openssl", "_anyssl"]
 openssl_sign = ["openssl", "c2pa-crypto/openssl", "_anyssl_sign"]
+boringssl = ["dep:boring", "c2pa-crypto/boringssl", "_anyssl"]
+boringssl_sign = ["boringssl", "c2pa-crypto/boringssl", "_anyssl_sign"]
 json_schema = ["dep:schemars", "c2pa-crypto/json_schema"]
 pdf = ["dep:lopdf"]
 v1_api = []
@@ -142,6 +144,7 @@ image = { version = "0.24.7", default-features = false, features = [
     "png",
 ], optional = true }
 instant = "0.1.12"
+boring = { version = "4.13", optional = true }
 openssl = { version = "0.10.61", features = ["vendored"], optional = true }
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]

diff --git a/sdk/src/error.rs b/sdk/src/error.rs
@@ -13,6 +13,8 @@
 
 // #![deny(missing_docs)] (we'll turn this on once fully documented)
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use thiserror::Error;
 
 /// `Error` enumerates errors returned by most C2PA toolkit operations.

diff --git a/sdk/src/manifest_store.rs b/sdk/src/manifest_store.rs
@@ -580,10 +580,7 @@ impl std::fmt::Display for ManifestStore {
     }
 }
 
-#[cfg(all(
-    test,
-    any(target_arch = "wasm32", feature = "_anyssl")
-))]
+#[cfg(all(test, any(target_arch = "wasm32", feature = "_anyssl")))]
 mod tests {
     #![allow(clippy::expect_used)]
     #![allow(clippy::unwrap_used)]

diff --git a/sdk/src/openssl/ec_signer.rs b/sdk/src/openssl/ec_signer.rs
@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use c2pa_crypto::{openssl::OpenSslMutex, SigningAlg};
 use openssl::{
     ec::EcKey,

diff --git a/sdk/src/openssl/ed_signer.rs b/sdk/src/openssl/ed_signer.rs
@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use c2pa_crypto::{openssl::OpenSslMutex, SigningAlg};
 use openssl::{
     pkey::{PKey, Private},

diff --git a/sdk/src/openssl/mod.rs b/sdk/src/openssl/mod.rs
@@ -40,6 +40,8 @@ pub(crate) use openssl_trust_handler::OpenSSLTrustHandlerConfig;
 pub(crate) mod temp_signer_async;
 
 #[cfg(feature = "_anyssl")]
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use openssl::x509::X509;
 #[cfg(test)]
 #[allow(unused_imports)]

diff --git a/sdk/src/openssl/openssl_trust_handler.rs b/sdk/src/openssl/openssl_trust_handler.rs
@@ -11,6 +11,8 @@
 // specific language governing permissions and limitations under
 // each license.
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use std::{
     collections::HashSet,
     io::{BufRead, BufReader, Cursor, Read},
@@ -267,6 +269,7 @@ pub(crate) fn verify_trust(
     if let Some(st) = signing_time_epoc {
         verify_param.set_time(st);
     } else {
+        #[cfg(feature = "openssl")]
         verify_param
             .set_flags(X509VerifyFlags::NO_CHECK_TIME)
             .map_err(Error::OpenSslError)?;

diff --git a/sdk/src/openssl/rsa_signer.rs b/sdk/src/openssl/rsa_signer.rs
@@ -13,6 +13,8 @@
 
 use std::cell::Cell;
 
+#[cfg(feature = "boringssl")]
+use boring as openssl;
 use c2pa_crypto::{ocsp::OcspResponse, openssl::OpenSslMutex, SigningAlg};
 use openssl::{
     hash::MessageDigest,

diff --git a/sdk/src/salt.rs b/sdk/src/salt.rs
@@ -57,6 +57,9 @@ impl SaltGenerator for DefaultSalt {
     fn generate_salt(&self) -> Option<Vec<u8>> {
         #[cfg(feature = "_anyssl_sign")]
         {
+            #[cfg(feature = "boringssl")]
+            use boring as openssl;
+
             let mut salt = vec![0u8; self.salt_len];
             openssl::rand::rand_bytes(&mut salt).ok()?;