diff --git a/internal/crypto/Cargo.toml b/internal/crypto/Cargo.toml index aad3bd0e..9c2bbac6 100644 --- a/internal/crypto/Cargo.toml +++ b/internal/crypto/Cargo.toml @@ -28,6 +28,7 @@ rustdoc-args = ["--cfg", "docsrs"] [features] json_schema = ["dep:schemars"] openssl = ["dep:openssl", "_anyssl"] +boringssl = ["dep:boring", "_anyssl"] # Internal-only. Use the `openssl` feature to enable it. _anyssl = [] @@ -48,6 +49,7 @@ x509-certificate = "0.21.0" x509-parser = "0.16.0" [target.'cfg(not(target_arch = "wasm32"))'.dependencies] +boring = { version = "4.13", optional = true } openssl = { version = "0.10.61", features = ["vendored"], optional = true } ureq = "2.4.0" url = "2.5.3" diff --git a/internal/crypto/src/lib.rs b/internal/crypto/src/lib.rs index 43008cf9..d06ec446 100644 --- a/internal/crypto/src/lib.rs +++ b/internal/crypto/src/lib.rs @@ -29,6 +29,9 @@ pub mod ocsp; #[cfg(all(feature = "_anyssl", target_arch = "wasm32"))] compile_error!("OpenSSL feature is not compatible with WASM platform"); +#[cfg(all(feature = "boringssl", feature = "openssl"))] +compile_error!("BoringSSL and OpenSSL can't be both enabled at the same time"); + #[cfg(feature = "_anyssl")] pub mod openssl; diff --git a/internal/crypto/src/openssl/validators/ecdsa_validator.rs b/internal/crypto/src/openssl/validators/ecdsa_validator.rs index 59019e61..03308e69 100644 --- a/internal/crypto/src/openssl/validators/ecdsa_validator.rs +++ b/internal/crypto/src/openssl/validators/ecdsa_validator.rs @@ -11,6 +11,8 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; use openssl::{ bn::BigNum, ec::EcKey, ecdsa::EcdsaSig, hash::MessageDigest, pkey::PKey, sign::Verifier, }; diff --git a/internal/crypto/src/openssl/validators/ed25519_validator.rs b/internal/crypto/src/openssl/validators/ed25519_validator.rs index d58f2fb9..9c8b7b4f 100644 --- a/internal/crypto/src/openssl/validators/ed25519_validator.rs +++ b/internal/crypto/src/openssl/validators/ed25519_validator.rs @@ -11,6 +11,8 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; use openssl::{pkey::PKey, sign::Verifier}; use crate::{ diff --git a/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs b/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs index 77f292fe..6c665d8d 100644 --- a/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs +++ b/internal/crypto/src/openssl/validators/rsa_legacy_validator.rs @@ -13,6 +13,8 @@ #![allow(missing_docs)] // REMOVE once this becomes `pub(crate)` +#[cfg(feature = "boringssl")] +use boring as openssl; use openssl::{hash::MessageDigest, pkey::PKey, rsa::Rsa, sign::Verifier}; use crate::{ diff --git a/internal/crypto/src/openssl/validators/rsa_validator.rs b/internal/crypto/src/openssl/validators/rsa_validator.rs index 111474cc..663a390a 100644 --- a/internal/crypto/src/openssl/validators/rsa_validator.rs +++ b/internal/crypto/src/openssl/validators/rsa_validator.rs @@ -11,6 +11,8 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; use openssl::{ hash::MessageDigest, pkey::PKey, diff --git a/internal/crypto/src/raw_signature/validator.rs b/internal/crypto/src/raw_signature/validator.rs index eb85a936..0436f435 100644 --- a/internal/crypto/src/raw_signature/validator.rs +++ b/internal/crypto/src/raw_signature/validator.rs @@ -12,6 +12,8 @@ // each license. use bcder::Oid; +#[cfg(feature = "boringssl")] +use boring as openssl; use thiserror::Error; use super::oids::*; diff --git a/internal/crypto/src/tests/openssl/validators/ecdsa_validator.rs b/internal/crypto/src/tests/openssl/validators/ecdsa_validator.rs index cb632762..9b732af0 100644 --- a/internal/crypto/src/tests/openssl/validators/ecdsa_validator.rs +++ b/internal/crypto/src/tests/openssl/validators/ecdsa_validator.rs @@ -11,6 +11,8 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; use openssl::x509::X509; use crate::{ diff --git a/internal/crypto/src/tests/openssl/validators/ed25519_validator.rs b/internal/crypto/src/tests/openssl/validators/ed25519_validator.rs index 184afe9c..10533889 100644 --- a/internal/crypto/src/tests/openssl/validators/ed25519_validator.rs +++ b/internal/crypto/src/tests/openssl/validators/ed25519_validator.rs @@ -11,6 +11,9 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; + use crate::{ openssl::validators::Ed25519Validator, raw_signature::{RawSignatureValidationError, RawSignatureValidator}, diff --git a/internal/crypto/src/tests/openssl/validators/rsa_legacy_validator.rs b/internal/crypto/src/tests/openssl/validators/rsa_legacy_validator.rs index 2b692d16..5bba1f80 100644 --- a/internal/crypto/src/tests/openssl/validators/rsa_legacy_validator.rs +++ b/internal/crypto/src/tests/openssl/validators/rsa_legacy_validator.rs @@ -11,6 +11,8 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; use openssl::x509::X509; use crate::{ diff --git a/internal/crypto/src/tests/openssl/validators/rsa_validator.rs b/internal/crypto/src/tests/openssl/validators/rsa_validator.rs index b7effddf..68c02675 100644 --- a/internal/crypto/src/tests/openssl/validators/rsa_validator.rs +++ b/internal/crypto/src/tests/openssl/validators/rsa_validator.rs @@ -11,6 +11,8 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; use openssl::x509::X509; use crate::{ diff --git a/sdk/Cargo.toml b/sdk/Cargo.toml index 0e1ae32b..02fcecad 100644 --- a/sdk/Cargo.toml +++ b/sdk/Cargo.toml @@ -35,6 +35,8 @@ no_interleaved_io = ["file_io"] fetch_remote_manifests = [] openssl = ["dep:openssl", "c2pa-crypto/openssl", "_anyssl"] openssl_sign = ["openssl", "c2pa-crypto/openssl", "_anyssl_sign"] +boringssl = ["dep:boring", "c2pa-crypto/boringssl", "_anyssl"] +boringssl_sign = ["boringssl", "c2pa-crypto/boringssl", "_anyssl_sign"] json_schema = ["dep:schemars", "c2pa-crypto/json_schema"] pdf = ["dep:lopdf"] v1_api = [] @@ -142,6 +144,7 @@ image = { version = "0.24.7", default-features = false, features = [ "png", ], optional = true } instant = "0.1.12" +boring = { version = "4.13", optional = true } openssl = { version = "0.10.61", features = ["vendored"], optional = true } [target.'cfg(target_arch = "wasm32")'.dependencies] diff --git a/sdk/src/error.rs b/sdk/src/error.rs index 8bca275e..109cfc1e 100644 --- a/sdk/src/error.rs +++ b/sdk/src/error.rs @@ -13,6 +13,8 @@ // #![deny(missing_docs)] (we'll turn this on once fully documented) +#[cfg(feature = "boringssl")] +use boring as openssl; use thiserror::Error; /// `Error` enumerates errors returned by most C2PA toolkit operations. diff --git a/sdk/src/manifest_store.rs b/sdk/src/manifest_store.rs index e1a24ac8..f40b5609 100644 --- a/sdk/src/manifest_store.rs +++ b/sdk/src/manifest_store.rs @@ -580,10 +580,7 @@ impl std::fmt::Display for ManifestStore { } } -#[cfg(all( - test, - any(target_arch = "wasm32", feature = "_anyssl") -))] +#[cfg(all(test, any(target_arch = "wasm32", feature = "_anyssl")))] mod tests { #![allow(clippy::expect_used)] #![allow(clippy::unwrap_used)] diff --git a/sdk/src/openssl/ec_signer.rs b/sdk/src/openssl/ec_signer.rs index 136cf328..8244076e 100644 --- a/sdk/src/openssl/ec_signer.rs +++ b/sdk/src/openssl/ec_signer.rs @@ -11,6 +11,8 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; use c2pa_crypto::{openssl::OpenSslMutex, SigningAlg}; use openssl::{ ec::EcKey, diff --git a/sdk/src/openssl/ed_signer.rs b/sdk/src/openssl/ed_signer.rs index 21202eeb..e8e83621 100644 --- a/sdk/src/openssl/ed_signer.rs +++ b/sdk/src/openssl/ed_signer.rs @@ -11,6 +11,8 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; use c2pa_crypto::{openssl::OpenSslMutex, SigningAlg}; use openssl::{ pkey::{PKey, Private}, diff --git a/sdk/src/openssl/mod.rs b/sdk/src/openssl/mod.rs index 5a3105cf..7fdccf8c 100644 --- a/sdk/src/openssl/mod.rs +++ b/sdk/src/openssl/mod.rs @@ -40,6 +40,8 @@ pub(crate) use openssl_trust_handler::OpenSSLTrustHandlerConfig; pub(crate) mod temp_signer_async; #[cfg(feature = "_anyssl")] +#[cfg(feature = "boringssl")] +use boring as openssl; use openssl::x509::X509; #[cfg(test)] #[allow(unused_imports)] diff --git a/sdk/src/openssl/openssl_trust_handler.rs b/sdk/src/openssl/openssl_trust_handler.rs index 6283c9e3..6f41c50f 100644 --- a/sdk/src/openssl/openssl_trust_handler.rs +++ b/sdk/src/openssl/openssl_trust_handler.rs @@ -11,6 +11,8 @@ // specific language governing permissions and limitations under // each license. +#[cfg(feature = "boringssl")] +use boring as openssl; use std::{ collections::HashSet, io::{BufRead, BufReader, Cursor, Read}, @@ -267,6 +269,7 @@ pub(crate) fn verify_trust( if let Some(st) = signing_time_epoc { verify_param.set_time(st); } else { + #[cfg(feature = "openssl")] verify_param .set_flags(X509VerifyFlags::NO_CHECK_TIME) .map_err(Error::OpenSslError)?; diff --git a/sdk/src/openssl/rsa_signer.rs b/sdk/src/openssl/rsa_signer.rs index 2ffe1493..7bcd409d 100644 --- a/sdk/src/openssl/rsa_signer.rs +++ b/sdk/src/openssl/rsa_signer.rs @@ -13,6 +13,8 @@ use std::cell::Cell; +#[cfg(feature = "boringssl")] +use boring as openssl; use c2pa_crypto::{ocsp::OcspResponse, openssl::OpenSslMutex, SigningAlg}; use openssl::{ hash::MessageDigest, diff --git a/sdk/src/salt.rs b/sdk/src/salt.rs index a69782ba..a5ff8661 100644 --- a/sdk/src/salt.rs +++ b/sdk/src/salt.rs @@ -57,6 +57,9 @@ impl SaltGenerator for DefaultSalt { fn generate_salt(&self) -> Option> { #[cfg(feature = "_anyssl_sign")] { + #[cfg(feature = "boringssl")] + use boring as openssl; + let mut salt = vec![0u8; self.salt_len]; openssl::rand::rand_bytes(&mut salt).ok()?;