chore(crypto): Remove openssl feature flag (#835)

contentauth · Jan 10, 2025 · 63abda2 · 63abda2
1 parent 828e258
commit 63abda2
Show file tree

Hide file tree

Showing 15 changed files with 86 additions and 129 deletions.
diff --git a/internal/crypto/Cargo.toml b/internal/crypto/Cargo.toml
@@ -31,7 +31,6 @@ rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
 json_schema = ["dep:schemars"]
-openssl = ["dep:openssl"]
 
 [dependencies]
 asn1-rs = "0.6.2"
@@ -62,7 +61,7 @@ x509-certificate = "0.21.0"
 x509-parser = "0.16.0"
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
-openssl = { version = "0.10.61", features = ["vendored"], optional = true }
+openssl = { version = "0.10.61", features = ["vendored"] }
 ureq = "2.4.0"
 url = "2.5.3"
 

diff --git a/internal/crypto/src/cose/certificate_profile.rs b/internal/crypto/src/cose/certificate_profile.rs
@@ -88,7 +88,7 @@ pub fn check_certificate_profile(
         // timestamp is valid now.
         let Ok(now) = SystemTime::now().duration_since(web_time::UNIX_EPOCH) else {
             return Err(CertificateProfileError::InternalError(
-                "system time invalid",
+                "system time invalid".to_string(),
             ));
         };
 
@@ -491,7 +491,7 @@ pub enum CertificateProfileError {
     /// An unexpected internal error occured while requesting the time stamp
     /// response.
     #[error("internal error ({0})")]
-    InternalError(&'static str),
+    InternalError(String),
 }
 
 fn generalized_time_to_datetime(gt: GeneralizedTime) -> DateTime<Utc> {

diff --git a/internal/crypto/src/cose/certificate_trust_policy.rs b/internal/crypto/src/cose/certificate_trust_policy.rs
@@ -113,7 +113,7 @@ impl CertificateTrustPolicy {
             }
         }
 
-        #[cfg(feature = "openssl")]
+        #[cfg(not(target_arch = "wasm32"))]
         {
             return crate::openssl::check_certificate_trust::check_certificate_trust(
                 self,
@@ -124,7 +124,7 @@ impl CertificateTrustPolicy {
         }
 
         Err(CertificateTrustError::InternalError(
-            "no implementation for certificate evaluation available",
+            "no implementation for certificate evaluation available".to_string(),
         ))
     }
 
@@ -344,18 +344,9 @@ pub enum CertificateTrustError {
     #[error("the certificate contains an invalid extended key usage (EKU) value")]
     InvalidEku,
 
-    /// An error was reported by the OpenSSL native code.
-    ///
-    /// NOTE: We do not directly capture the OpenSSL error itself because it
-    /// lacks an Eq implementation. Instead we capture the error description.
-    #[cfg(feature = "openssl")]
-    #[error("an error was reported by OpenSSL native code: {0}")]
-    OpenSslError(String),
-
-    /// The OpenSSL native code mutex could not be acquired.
-    #[cfg(feature = "openssl")]
-    #[error(transparent)]
-    OpenSslMutexUnavailable(#[from] crate::openssl::OpenSslMutexUnavailable),
+    /// An error was reported by the underlying cryptography implementation.
+    #[error("an error was reported by the cryptography library: {0}")]
+    CryptoLibraryError(String),
 
     /// The certificate (or certificate chain) that was presented is invalid.
     #[error("the certificate or certificate chain is invalid")]
@@ -364,13 +355,20 @@ pub enum CertificateTrustError {
     /// An unexpected internal error occured while requesting the time stamp
     /// response.
     #[error("internal error ({0})")]
-    InternalError(&'static str),
+    InternalError(String),
 }
 
-#[cfg(feature = "openssl")]
+#[cfg(not(target_arch = "wasm32"))]
 impl From<openssl::error::ErrorStack> for CertificateTrustError {
     fn from(err: openssl::error::ErrorStack) -> Self {
-        Self::OpenSslError(err.to_string())
+        Self::CryptoLibraryError(err.to_string())
+    }
+}
+
+#[cfg(not(target_arch = "wasm32"))]
+impl From<crate::openssl::OpenSslMutexUnavailable> for CertificateTrustError {
+    fn from(err: crate::openssl::OpenSslMutexUnavailable) -> Self {
+        Self::InternalError(err.to_string())
     }
 }
 
@@ -379,10 +377,10 @@ impl From<crate::webcrypto::WasmCryptoError> for CertificateTrustError {
     fn from(err: crate::webcrypto::WasmCryptoError) -> Self {
         match err {
             crate::webcrypto::WasmCryptoError::UnknownContext => {
-                Self::InternalError("unknown WASM context")
+                Self::InternalError("unknown WASM context".to_string())
             }
             crate::webcrypto::WasmCryptoError::NoCryptoAvailable => {
-                Self::InternalError("WASM crypto unavailable")
+                Self::InternalError("WASM crypto unavailable".to_string())
             }
         }
     }

diff --git a/internal/crypto/src/lib.rs b/internal/crypto/src/lib.rs
@@ -26,16 +26,11 @@ pub mod hash;
 pub(crate) mod internal;
 pub mod ocsp;
 
-#[cfg(all(feature = "openssl", target_arch = "wasm32"))]
-compile_error!("OpenSSL feature is not compatible with WASM platform");
-
-#[cfg(feature = "openssl")]
-pub mod openssl;
+#[cfg(not(target_arch = "wasm32"))]
+pub(crate) mod openssl;
 
 pub(crate) mod p1363;
-
 pub mod raw_signature;
-
 pub mod time_stamp;
 
 #[cfg(all(target_arch = "wasm32", not(target_os = "wasi")))]

diff --git a/internal/crypto/src/openssl/signers/ecdsa_signer.rs b/internal/crypto/src/openssl/signers/ecdsa_signer.rs
@@ -124,10 +124,7 @@ impl RawSigner for EcdsaSigner {
 
         self.cert_chain
             .iter()
-            .map(|cert| {
-                cert.to_der()
-                    .map_err(|e| RawSignerError::OpenSslError(e.to_string()))
-            })
+            .map(|cert| cert.to_der().map_err(|e| e.into()))
             .collect()
     }
 }

diff --git a/internal/crypto/src/openssl/signers/ed25519_signer.rs b/internal/crypto/src/openssl/signers/ed25519_signer.rs
@@ -89,10 +89,7 @@ impl RawSigner for Ed25519Signer {
 
         self.cert_chain
             .iter()
-            .map(|cert| {
-                cert.to_der()
-                    .map_err(|e| RawSignerError::OpenSslError(e.to_string()))
-            })
+            .map(|cert| cert.to_der().map_err(|e| e.into()))
             .collect()
     }
 }

diff --git a/internal/crypto/src/openssl/signers/rsa_signer.rs b/internal/crypto/src/openssl/signers/rsa_signer.rs
@@ -162,10 +162,7 @@ impl RawSigner for RsaSigner {
 
         self.cert_chain
             .iter()
-            .map(|cert| {
-                cert.to_der()
-                    .map_err(|e| RawSignerError::OpenSslError(e.to_string()))
-            })
+            .map(|cert| cert.to_der().map_err(|e| e.into()))
             .collect()
     }
 

diff --git a/internal/crypto/src/raw_signature/signer.rs b/internal/crypto/src/raw_signature/signer.rs
@@ -105,18 +105,9 @@ pub enum RawSignerError {
     #[error("I/O error ({0})")]
     IoError(String),
 
-    /// An error was reported by the OpenSSL native code.
-    ///
-    /// NOTE: We do not directly capture the OpenSSL error itself because it
-    /// lacks an `Eq` implementation. Instead we capture the error description.
-    #[cfg(feature = "openssl")]
-    #[error("an error was reported by OpenSSL native code: {0}")]
-    OpenSslError(String),
-
-    /// The OpenSSL native code mutex could not be acquired.
-    #[cfg(feature = "openssl")]
-    #[error(transparent)]
-    OpenSslMutexUnavailable(#[from] crate::openssl::OpenSslMutexUnavailable),
+    /// An error was reported by the underlying cryptography implementation.
+    #[error("an error was reported by the cryptography library: {0}")]
+    CryptoLibraryError(String),
 
     /// An unexpected internal error occured while requesting the time stamp
     /// response.
@@ -130,10 +121,17 @@ impl From<std::io::Error> for RawSignerError {
     }
 }
 
-#[cfg(feature = "openssl")]
+#[cfg(not(target_arch = "wasm32"))]
 impl From<openssl::error::ErrorStack> for RawSignerError {
     fn from(err: openssl::error::ErrorStack) -> Self {
-        Self::OpenSslError(err.to_string())
+        Self::CryptoLibraryError(err.to_string())
+    }
+}
+
+#[cfg(not(target_arch = "wasm32"))]
+impl From<crate::openssl::OpenSslMutexUnavailable> for RawSignerError {
+    fn from(err: crate::openssl::OpenSslMutexUnavailable) -> Self {
+        Self::InternalError(err.to_string())
     }
 }
 
@@ -167,7 +165,7 @@ pub fn signer_from_cert_chain_and_private_key(
     alg: SigningAlg,
     time_stamp_service_url: Option<String>,
 ) -> Result<Box<dyn RawSigner + Send + Sync>, RawSignerError> {
-    #[cfg(feature = "openssl")]
+    #[cfg(not(target_arch = "wasm32"))]
     {
         return crate::openssl::signers::signer_from_cert_chain_and_private_key(
             cert_chain,

diff --git a/internal/crypto/src/raw_signature/validator.rs b/internal/crypto/src/raw_signature/validator.rs
@@ -65,7 +65,7 @@ pub trait AsyncRawSignatureValidator {
 /// Which validators are available may vary depending on the platform and
 /// which crate features were enabled.
 pub fn validator_for_signing_alg(alg: SigningAlg) -> Option<Box<dyn RawSignatureValidator>> {
-    #[cfg(feature = "openssl")]
+    #[cfg(not(target_arch = "wasm32"))]
     if let Some(validator) = crate::openssl::validators::validator_for_signing_alg(alg) {
         return Some(validator);
     }
@@ -113,7 +113,7 @@ pub(crate) fn validator_for_sig_and_hash_algs(
     {
         // TO REVIEW: Do we need any of the RSA-PSS algorithms for this use case?
 
-        #[cfg(feature = "openssl")]
+        #[cfg(not(target_arch = "wasm32"))]
         if let Some(validator) =
             crate::openssl::validators::validator_for_sig_and_hash_algs(sig_alg, hash_alg)
         {
@@ -154,18 +154,9 @@ pub enum RawSignatureValidationError {
     #[error("the signature does not match the provided data or public key")]
     SignatureMismatch,
 
-    /// An error was reported by the OpenSSL native code.
-    ///
-    /// NOTE: We do not directly capture the OpenSSL error itself because it
-    /// lacks an Eq implementation. Instead we capture the error description.
-    #[cfg(feature = "openssl")]
-    #[error("an error was reported by OpenSSL native code: {0}")]
-    OpenSslError(String),
-
-    /// The OpenSSL native code mutex could not be acquired.
-    #[cfg(feature = "openssl")]
-    #[error(transparent)]
-    OpenSslMutexUnavailable(#[from] crate::openssl::OpenSslMutexUnavailable),
+    /// An error was reported by the underlying cryptography implementation.
+    #[error("an error was reported by the cryptography library: {0}")]
+    CryptoLibraryError(String),
 
     /// An invalid public key was provided.
     #[error("invalid public key")]
@@ -182,13 +173,20 @@ pub enum RawSignatureValidationError {
     /// An unexpected internal error occured while requesting the time stamp
     /// response.
     #[error("internal error ({0})")]
-    InternalError(&'static str),
+    InternalError(String),
 }
 
-#[cfg(feature = "openssl")]
+#[cfg(not(target_arch = "wasm32"))]
 impl From<openssl::error::ErrorStack> for RawSignatureValidationError {
     fn from(err: openssl::error::ErrorStack) -> Self {
-        Self::OpenSslError(err.to_string())
+        Self::CryptoLibraryError(err.to_string())
+    }
+}
+
+#[cfg(not(target_arch = "wasm32"))]
+impl From<crate::openssl::OpenSslMutexUnavailable> for RawSignatureValidationError {
+    fn from(err: crate::openssl::OpenSslMutexUnavailable) -> Self {
+        Self::InternalError(err.to_string())
     }
 }
 
@@ -197,10 +195,10 @@ impl From<crate::webcrypto::WasmCryptoError> for RawSignatureValidationError {
     fn from(err: crate::webcrypto::WasmCryptoError) -> Self {
         match err {
             crate::webcrypto::WasmCryptoError::UnknownContext => {
-                Self::InternalError("unknown WASM context")
+                Self::InternalError("unknown WASM context".to_string())
             }
             crate::webcrypto::WasmCryptoError::NoCryptoAvailable => {
-                Self::InternalError("WASM crypto unavailable")
+                Self::InternalError("WASM crypto unavailable".to_string())
             }
         }
     }

diff --git a/internal/crypto/src/tests/mod.rs b/internal/crypto/src/tests/mod.rs
@@ -27,7 +27,7 @@ mod hash;
 mod internal;
 mod ocsp;
 
-#[cfg(all(feature = "openssl", not(target_arch = "wasm32")))]
+#[cfg(not(target_arch = "wasm32"))]
 mod openssl;
 
 mod raw_signature;

diff --git a/internal/crypto/src/tests/raw_signature/mod.rs b/internal/crypto/src/tests/raw_signature/mod.rs
@@ -11,5 +11,4 @@
 // specific language governing permissions and limitations under
 // each license.
 
-#[cfg(any(target_arch = "wasm32", feature = "openssl"))]
 mod validator;
diff --git a/internal/crypto/src/time_stamp/verify.rs b/internal/crypto/src/time_stamp/verify.rs
@@ -28,6 +28,7 @@ use crate::{
             CertificateChoices::Certificate, SignerIdentifier, OID_MESSAGE_DIGEST, OID_SIGNING_TIME,
         },
     },
+    raw_signature::validator_for_sig_and_hash_algs,
     time_stamp::{
         response::{signed_data_from_time_stamp_response, tst_info_from_signed_data},
         TimeStampError,
@@ -235,37 +236,21 @@ pub(crate) fn verify_time_stamp(ts: &[u8], data: &[u8]) -> Result<TstInfo, TimeS
             .write_encoded(bcder::Mode::Der, &mut signing_key_der)?;
 
         // Verify signature of time stamp signature.
-        #[cfg(feature = "openssl")]
-        validate_timestamp_sig(sig_alg, hash_alg, sig_val, &tbs, &signing_key_der)?;
+        if _sync {
+            // IMPORTANT: The synchronous implementation of validate_timestamp_sync
+            // on WASM is unable to support _some_ signature algorithms. The async path
+            // should be used whenever possible (for WASM, at least).
+            validate_timestamp_sig(sig_alg, hash_alg, sig_val, &tbs, &signing_key_der)?;
+        } else {
+            #[cfg(not(target_arch = "wasm32"))]
+            validate_timestamp_sig(sig_alg, hash_alg, sig_val, &tbs, &signing_key_der)?;
 
-        #[cfg(not(feature = "openssl"))]
-        {
+            // NOTE: We're keeping the WASM-specific async path alive for now because it
+            // supports more signature algorithms. Look for future WASM platform to provide
+            // the opportunity to unify.
             #[cfg(target_arch = "wasm32")]
-            {
-                if _sync {
-                    // IMPORTANT: The synchronous implementation of validate_timestamp_sync
-                    // on WASM is unable to support _some_ signature algorithms. The async path
-                    // should be used whenever possible.
-                    validate_timestamp_sig(sig_alg, hash_alg, sig_val, &tbs, &signing_key_der)?;
-                } else {
-                    // NOTE: We're keeping the WASM-specific async path alive for now because it
-                    // supports more signature algorithms. Look for future WASM platform to provide
-                    // the opportunity to unify.
-                    validate_timestamp_sig_async(
-                        sig_alg,
-                        hash_alg,
-                        sig_val,
-                        &tbs,
-                        &signing_key_der,
-                    )
-                    .await?;
-                }
-            }
-
-            #[cfg(not(target_arch = "wasm32"))]
-            if true {
-                unimplemented!();
-            }
+            validate_timestamp_sig_async(sig_alg, hash_alg, sig_val, &tbs, &signing_key_der)
+                .await?;
         }
 
         // Make sure the time stamp's cert was valid for the stated signing time.
@@ -329,16 +314,13 @@ fn time_to_datetime(t: Time) -> DateTime<Utc> {
     }
 }
 
-#[cfg(any(feature = "openssl", target_arch = "wasm32"))]
 fn validate_timestamp_sig(
     sig_alg: &bcder::Oid,
     hash_alg: &bcder::Oid,
     sig_val: &OctetString,
     tbs: &[u8],
     signing_key_der: &[u8],
 ) -> Result<(), TimeStampError> {
-    use crate::raw_signature::validator_for_sig_and_hash_algs;
-
     let Some(validator) = validator_for_sig_and_hash_algs(sig_alg, hash_alg) else {
         return Err(TimeStampError::UnsupportedAlgorithm);
     };