Pure Rust implementation? about acmed HOT 2 OPEN

Hi!

Well, the choice of a cryptographic library it's not an easy subject. ACMEd uses cryptography in several places and I want only one cryptographic library for all those usages. The most important ones are:

• key pair generation, PEM import and export
• either access to the private key's internal components or correct JWK export
• X.509 certificate generation, manipulation and PEM import
• CSR generation and DER export
• TLS

And there is an additional difficulty: the TLS stack must also be used within a decent HTTP client library that does not come with too much dependencies.

The cryptographic libraries I have looked for are :

• Rust Crypto: no certificate, CSR or TLS support.
• Ring: as stated in #2 there is no RSA key generation (required) and no access to private keys internal components.
• OpenSSL: has everything excepted the optional Curve 25519 support.
• Botan: very good candidate, seems to have everything except being used in an HTTP library (but it should be reasonable to add it to an existing one that already support multiple cryptographic libraries like attohttpc).

As you can see, right now OpenSSL is the only choice. Botan is seriously considered to be its successor, but it still requires some work.

By the way, the crate you quoted uses Ring in addition to an RSA library that has not been audited. Considering the very high complexity of correct RSA implementation, I worry much more about such a crate than I do about OpenSSL. Yes, I also yell in pain when I have to deal with the OpenSS-HELL API and I also have been marked by heartbleed. However, RSA being a real mine field, I would rather stick with a well known and audited library like OpenSSL, even though it's painful, rather than use the first one that looks cool.

from acmed.

@breard-r thanks for the insightful comment! (Also, was interesting to read it and some of the articles.) Feel free to close the issue if deemed more proper

from acmed.