Support cryptography module

.github/workflows/rust.yml

@@ -31,6 +31,21 @@ jobs:
     - name: Run tests
       run: cargo test --verbose
 
+        #  unix-tongsuo-test:
+        #    strategy:
+        #      matrix:
+        #        os:
+        #          - ubuntu-latest
+        #          - macos-latest
+        #    runs-on: ${{matrix.os}}
+        #
+        #    steps:
+        #    - uses: actions/checkout@v3
+        #    - name: Build
+        #      run : cargo build --verbose --features crypto_adaptor_tongsuo --no-default-features --config 'patch.crates-io.openssl.git="https://github.com/Tongsuo-Project/rust-tongsuo,git"' --config 'patch.crates-io.openssl-sys.git="https://github.com/Tongsuo-Project/rust-tongsuo.git"'
+        #    - name: Run tests
+        #      run : cargo test --verbose --features crypto_adaptor_tongsuo --no-default-features --config 'patch.crates-io.openssl.git="https://github.com/Tongsuo-Project/rust-tongsuo,git"' --config 'patch.crates-io.openssl-sys.git="https://github.com/Tongsuo-Project/rust-tongsuo.git"'
+
   unix-mysql-test:
     strategy:
       matrix:
@@ -113,7 +128,7 @@ jobs:
       with:
         toolchain: stable
     - name: install diesel_cli
-      run: cargo install diesel_cli --no-default-features --features mysql
+      run: cargo install diesel_cli --no-default-features --features mysql --features crypto_adaptor_openssl
     - name: init database
       run: diesel setup --database-url mysql://root:[email protected]:3306/vault
     - name: Build

Cargo.toml

@@ -25,8 +25,6 @@ serde_json = "^1.0"
 serde_bytes = "0.11"
 go-defer = "^0.1"
 rand = "^0.8"
-openssl = { version = "0.10" }
-openssl-sys = { version = "0.9" }
 derivative = "2.2.0"
 enum-map = "2.6.1"
 strum = { version = "0.25", features = ["derive"] }
@@ -61,12 +59,20 @@ serde_asn1_der = "0.8"
 base64 = "0.22"
 ipnetwork = "0.20"
 
-[patch.crates-io]
-openssl = { git = "https://github.com/Tongsuo-Project/rust-tongsuo.git" }
-openssl-sys = { git = "https://github.com/Tongsuo-Project/rust-tongsuo.git" }
+# optional dependencies
+openssl = { version = "0.10", optional = true }
+openssl-sys = { version = "0.9", optional = true }
+
+# uncomment the following lines to use Tongsuo as underlying crypto adaptor
+#[patch.crates-io]
+#openssl = { git = "https://github.com/Tongsuo-Project/rust-tongsuo.git" }
+#openssl-sys = { git = "https://github.com/Tongsuo-Project/rust-tongsuo.git" }
 
 [features]
+default = ["crypto_adaptor_openssl"]
 storage_mysql = ["diesel", "r2d2", "r2d2-diesel"]
+crypto_adaptor_openssl = ["dep:openssl", "dep:openssl-sys"]
+crypto_adaptor_tongsuo = ["dep:openssl", "dep:openssl-sys"]
 
 [target.'cfg(unix)'.dependencies]
 daemonize = "0.5"

build.rs

@@ -1,7 +1,52 @@
 use std::env;
 
+// This is not going to happen any more since we have a default feature definition in Cargo.toml
+//#[cfg(not(any(feature = "crypto_adaptor_openssl", feature = "crypto_adaptor_tongsuo")))]
+//compile_error! {
+//    r#"
+//    No cryptography adaptor is enabled!
+//
+//    In RustyVault, the real cryptographic operations are done via "crypto_adaptor"s.
+//
+//    A crypto adaptor is a module that conveys and translates high level cryptography
+//    operations like encryption, signing into the APIs provided by underlying cryptography
+//    libraries such as OpenSSL, Tongsuo and so forth.
+//
+//    At current stage, only one crypto_adaptor can be enabled at compilation phase and later
+//    be used at run-time. "crypto_adaptor"s are configured as 'feature's in the Cargo context.
+//
+//    Currently, the supported feature names of crypto adaptors are as follows, you can enable
+//    them by adding one '--features crypto_adaptor_name' option when running "cargo build":
+//        1. the OpenSSL adaptor: crypto_adaptor_openssl
+//        2. the Tongsuo adaptor: crypto_adaptor_tongsuo
+//    "#
+//}
+
+#[cfg(all(feature = "crypto_adaptor_openssl", feature = "crypto_adaptor_tongsuo"))]
+compile_error! {
+    r#"
+    Only one cryptography adapator can be enabled!
+
+    In RustyVault, the real cryptographic operations are done via "crypto_adaptor"s.
+
+    A crypto adaptor is a module that conveys and translates high level cryptography
+    operations like encryption, signing into the APIs provided by underlying cryptography
+    libraries such as OpenSSL, Tongsuo and so forth.
+
+    At current stage, only one crypto_adaptor can be enabled at compilation phase and later
+    be used at run-time. "crypto_adaptor"s are configured as 'feature's in the Cargo context.
+
+    Currently, the supported feature names of crypto adaptors are as follows, you can enable
+    them by adding one '--features crypto_adaptor_name' option when running "cargo build":
+        1. the OpenSSL adaptor: crypto_adaptor_openssl
+        2. the Tongsuo adaptor: crypto_adaptor_tongsuo
+    "#
+}
+
 fn main() {
     if let Ok(_) = env::var("DEP_OPENSSL_TONGSUO") {
         println!("cargo:rustc-cfg=tongsuo");
+    } else if cfg!(feature = "crypto_adaptor_tongsuo") {
+        println!("cargo:rustc-cfg=tongsuo");
     }
 }

src/errors.rs

@@ -12,6 +12,20 @@ use thiserror::Error;
 
 #[derive(Error, Debug)]
 pub enum RvError {
+    #[error("Cipher operation update failed.")]
+    ErrCryptoCipherUpdateFailed,
+    #[error("Cipher operation finalization failed.")]
+    ErrCryptoCipherFinalizeFailed,
+    #[error("Cipher initialization failed.")]
+    ErrCryptoCipherInitFailed,
+    #[error("Cipher not initialized.")]
+    ErrCryptoCipherNotInited,
+    #[error("Cipher operation not supported.")]
+    ErrCryptoCipherOPNotSupported,
+    #[error("AEAD Cipher tag is missing.")]
+    ErrCryptoCipherNoTag,
+    #[error("AEAD Cipher tag should not be present.")]
+    ErrCryptoCipherAEADTagPresent,
     #[error("Config path is invalid.")]
     ErrConfigPathInvalid,
     #[error("Config load failed.")]
@@ -274,7 +288,14 @@ pub enum RvError {
 impl PartialEq for RvError {
     fn eq(&self, other: &Self) -> bool {
         match (self, other) {
-            (RvError::ErrCoreLogicalBackendExist, RvError::ErrCoreLogicalBackendExist)
+            (RvError::ErrCryptoCipherUpdateFailed, RvError::ErrCryptoCipherUpdateFailed)
+            | (RvError::ErrCryptoCipherFinalizeFailed, RvError::ErrCryptoCipherFinalizeFailed)
+            | (RvError::ErrCryptoCipherInitFailed, RvError::ErrCryptoCipherInitFailed)
+            | (RvError::ErrCryptoCipherNotInited, RvError::ErrCryptoCipherNotInited)
+            | (RvError::ErrCryptoCipherOPNotSupported, RvError::ErrCryptoCipherOPNotSupported)
+            | (RvError::ErrCryptoCipherNoTag, RvError::ErrCryptoCipherNoTag)
+            | (RvError::ErrCryptoCipherAEADTagPresent, RvError::ErrCryptoCipherAEADTagPresent)
+            | (RvError::ErrCoreLogicalBackendExist, RvError::ErrCoreLogicalBackendExist)
             | (RvError::ErrCoreNotInit, RvError::ErrCoreNotInit)
             | (RvError::ErrCoreLogicalBackendNoExist, RvError::ErrCoreLogicalBackendNoExist)
             | (RvError::ErrCoreSealConfigInvalid, RvError::ErrCoreSealConfigInvalid)

src/modules/crypto/crypto_adaptors/mod.rs

@@ -0,0 +1,11 @@
+//! This is a Rust module that contains several adaptors to different cryptography libraries.
+//! The rusty_vault::crypto module utilize these adaptors to do the real crypto operations.
+//!
+//! Only one crypto adaptor can be used in one build. It's configured when building RustyVault.
+//! An adaptor implements a set of methods that perform cryptograhpy operations like encryption,
+//! decription, signing, verification and so on.
+
+#[cfg(feature = "crypto_adaptor_openssl")]
+pub mod openssl_adaptor;
+#[cfg(feature = "crypto_adaptor_tongsuo")]
+pub mod tongsuo_adaptor;