Comments (2)
Hi!
Well, the choice of a cryptographic library it's not an easy subject. ACMEd uses cryptography in several places and I want only one cryptographic library for all those usages. The most important ones are:
- key pair generation, PEM import and export
- either access to the private key's internal components or correct JWK export
- X.509 certificate generation, manipulation and PEM import
- CSR generation and DER export
- TLS
And there is an additional difficulty: the TLS stack must also be used within a decent HTTP client library that does not come with too much dependencies.
The cryptographic libraries I have looked for are :
- Rust Crypto: no certificate, CSR or TLS support.
- Ring: as stated in #2 there is no RSA key generation (required) and no access to private keys internal components.
- OpenSSL: has everything excepted the optional Curve 25519 support.
- Botan: very good candidate, seems to have everything except being used in an HTTP library (but it should be reasonable to add it to an existing one that already support multiple cryptographic libraries like attohttpc).
As you can see, right now OpenSSL is the only choice. Botan is seriously considered to be its successor, but it still requires some work.
By the way, the crate you quoted uses Ring in addition to an RSA library that has not been audited. Considering the very high complexity of correct RSA implementation, I worry much more about such a crate than I do about OpenSSL. Yes, I also yell in pain when I have to deal with the OpenSS-HELL API and I also have been marked by heartbleed. However, RSA being a real mine field, I would rather stick with a well known and audited library like OpenSSL, even though it's painful, rather than use the first one that looks cool.
from acmed.
@breard-r thanks for the insightful comment! (Also, was interesting to read it and some of the articles.) Feel free to close the issue if deemed more proper
from acmed.
Related Issues (20)
- Random failure in podman deployment HOT 3
- Cargo.lock not updated/committed for 0.22.0 HOT 3
- Make {{proof}} available in base64url format, for challenge-tls-alpn-01. HOT 6
- Support for ARI (ACME Renewal Information)
- FR: Add capability to generate (and deploy) DANE records HOT 9
- Allow for not using any pidfile HOT 2
- Lock the dependencies by committing the Cargo.lock HOT 1
- Compliance with Let's Encrypt Integration Guide HOT 9
- Use more external crates HOT 3
- Include config directories HOT 1
- Scheduling renewals
- Exponential backoff for retrying renewals
- Certificate meta-information file HOT 1
- Functional/integration testing
- Fine grained rate-limits HOT 2
- Exposing prometheus/opentelemetry compatible metrics.
- Reduce error boilerplate using `thiserror` HOT 2
- Don't create a new http client/session on each request
- Expose file paths of cert and private key to post-operation hook
- Stop using a deprecated function when creating a certificate in tacd
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acmed.