Support building with either ring or aws-lc-rs

rustls has support for multiple backends, including aws-lc-rs, as an
alternative to ring. Add support for using either as the backend for
rustls-acme.

Cargo.toml

@@ -11,12 +11,13 @@ keywords = ["acme", "rustls", "tls", "letsencrypt"]
 categories = ["asynchronous", "cryptography", "network-programming"]
 
 [dependencies]
-futures-rustls = "0.25"
+futures-rustls = { version = "0.25", default-features = false }
 futures = "0.3.21"
-rcgen = "0.12"
+rcgen = { version = "0.12", default-features = false, features = ["pem"] }
 serde_json = "1.0.81"
 serde = { version = "1.0.137", features=["derive"] }
-ring = { version = "0.17.7", features = ["std"] }
+ring = { version = "0.17.7", features = ["std"], optional = true }
+aws-lc-rs = { version = "1.5.2", optional = true, default-features = false, features = ["aws-lc-sys"] }
 base64 = "0.21.7"
 log = "0.4.17"
 webpki-roots = "0.26"
@@ -29,7 +30,7 @@ async-io = "2.3.0"
 tokio = { version= "1.20.1", optional= true }
 tokio-util = { version="0.7.3", features = ["compat"], optional=true }
 axum-server = { version = "0.6", features = ["tls-rustls"], optional=true }
-async-web-client = "0.5"
+async-web-client = { version = "0.5.1", default-features = false }
 http = "1"
 blocking = "1.4.1"
 
@@ -42,7 +43,7 @@ tokio-stream = { version="0.1.14", features = ["net"] }
 tokio-util = { version="0.7.10", features = ["compat"] }
 warp = "0.3.4"
 smol = "2.0.0"
-tokio-rustls = "0.25"
+tokio-rustls = { version = "0.25", default-features = false }
 smol-macros = "0.1.0"
 macro_rules_attribute = "0.2.0"
 
@@ -51,6 +52,9 @@ all-features = true
 rustdoc-args = ["--cfg", "doc_auto_cfg"]
 
 [features]
+default = ["ring"]
+ring = ["dep:ring", "async-web-client/ring", "rcgen/ring"]
+aws-lc-rs = ["dep:aws-lc-rs", "async-web-client/aws-lc-rs", "rcgen/aws_lc_rs"]
 axum = ["dep:axum-server", "tokio"]
 tokio = ["dep:tokio", "dep:tokio-util"]
 

src/acme.rs

@@ -1,17 +1,17 @@
 use std::sync::Arc;
 
+use crate::any_ecdsa_type;
 use crate::https_helper::{https, HttpsRequestError};
 use crate::jose::{key_authorization_sha256, sign, JoseError};
+use crate::ring::error::{KeyRejected, Unspecified};
+use crate::ring::rand::SystemRandom;
+use crate::ring::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, ECDSA_P256_SHA256_FIXED_SIGNING};
 use base64::prelude::*;
 use futures_rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
-use futures_rustls::rustls::crypto::ring::sign::any_ecdsa_type;
 use futures_rustls::rustls::{sign::CertifiedKey, ClientConfig};
 use http::header::ToStrError;
 use http::{Method, Response};
 use rcgen::{Certificate, CustomExtension, PKCS_ECDSA_P256_SHA256};
-use ring::error::{KeyRejected, Unspecified};
-use ring::rand::SystemRandom;
-use ring::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, ECDSA_P256_SHA256_FIXED_SIGNING};
 use serde::{Deserialize, Serialize};
 use serde_json::json;
 use thiserror::Error;
@@ -53,7 +53,13 @@ impl Account {
         S: AsRef<str> + 'a,
         I: IntoIterator<Item = &'a S>,
     {
-        let key_pair = EcdsaKeyPair::from_pkcs8(ALG, key_pair, &SystemRandom::new())?;
+        let key_pair = EcdsaKeyPair::from_pkcs8(
+            ALG,
+            key_pair,
+            // ring 0.17 has a third argument here; aws-lc-rs doesn't.
+            #[cfg(feature = "ring")]
+            &SystemRandom::new(),
+        )?;
         let contact: Vec<&'a str> = contact.into_iter().map(AsRef::<str>::as_ref).collect();
         let payload = json!({
             "termsOfServiceAgreed": true,

src/caches/dir.rs

@@ -1,8 +1,8 @@
+use crate::ring::digest::{Context, SHA256};
 use crate::{AccountCache, CertCache};
 use async_trait::async_trait;
 use base64::prelude::*;
 use blocking::unblock;
-use ring::digest::{Context, SHA256};
 use std::io::ErrorKind;
 use std::path::Path;
 

src/jose.rs

@@ -1,7 +1,7 @@
+use crate::ring::digest::{digest, Digest, SHA256};
+use crate::ring::rand::SystemRandom;
+use crate::ring::signature::{EcdsaKeyPair, KeyPair};
 use base64::prelude::*;
-use ring::digest::{digest, Digest, SHA256};
-use ring::rand::SystemRandom;
-use ring::signature::{EcdsaKeyPair, KeyPair};
 use serde::Serialize;
 use thiserror::Error;
 
@@ -110,5 +110,5 @@ pub enum JoseError {
     #[error("json serialization failed: {0}")]
     Json(#[from] serde_json::Error),
     #[error("crypto error: {0}")]
-    Crypto(#[from] ring::error::Unspecified),
+    Crypto(#[from] crate::ring::error::Unspecified),
 }

src/lib.rs

@@ -132,3 +132,11 @@ pub use helpers::*;
 pub use incoming::*;
 pub use resolver::*;
 pub use state::*;
+
+#[cfg(feature = "aws-lc-rs")]
+use ::{aws_lc_rs as ring, futures_rustls::rustls::crypto::aws_lc_rs::sign::any_ecdsa_type};
+#[cfg(all(feature = "ring", not(feature = "aws-lc-rs")))]
+use ::{futures_rustls::rustls::crypto::ring::sign::any_ecdsa_type, ring};
+
+#[cfg(not(any(feature = "ring", feature = "aws-lc-rs")))]
+compile_error!("rustls-acme requires either the ring or aws-lc-rs feature enabled");