Skip to main content

CryptoProvider

Trait CryptoProvider 

Source
pub trait CryptoProvider: Send + Sync {
Show 20 methods // Required methods fn verify_ed25519<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, pubkey: &'life1 [u8], message: &'life2 [u8], signature: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait; fn sign_ed25519<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, seed: &'life1 SecureSeed, message: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait; fn generate_ed25519_keypair<'life0, 'async_trait>( &'life0 self, ) -> Pin<Box<dyn Future<Output = Result<(SecureSeed, [u8; 32]), CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, Self: 'async_trait; fn ed25519_public_key_from_seed<'life0, 'life1, 'async_trait>( &'life0 self, seed: &'life1 SecureSeed, ) -> Pin<Box<dyn Future<Output = Result<[u8; 32], CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, Self: 'async_trait; // Provided methods fn verify_p256<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _pubkey: &'life1 [u8], _message: &'life2 [u8], _signature: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait { ... } fn sign_p256<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, _seed: &'life1 SecureSeed, _message: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait { ... } fn generate_p256_keypair<'life0, 'async_trait>( &'life0 self, ) -> Pin<Box<dyn Future<Output = Result<(SecureSeed, Vec<u8>), CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, Self: 'async_trait { ... } fn p256_public_key_from_seed<'life0, 'life1, 'async_trait>( &'life0 self, _seed: &'life1 SecureSeed, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, Self: 'async_trait { ... } fn aead_encrypt<'life0, 'life1, 'life2, 'life3, 'life4, 'async_trait>( &'life0 self, _key: &'life1 [u8; 32], _nonce: &'life2 [u8; 12], _aad: &'life3 [u8], _plaintext: &'life4 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, 'life4: 'async_trait, Self: 'async_trait { ... } fn aead_decrypt<'life0, 'life1, 'life2, 'life3, 'life4, 'async_trait>( &'life0 self, _key: &'life1 [u8; 32], _nonce: &'life2 [u8; 12], _aad: &'life3 [u8], _ciphertext: &'life4 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, 'life4: 'async_trait, Self: 'async_trait { ... } fn hkdf_sha256_expand<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _ikm: &'life1 [u8], _salt: &'life2 [u8], _info: &'life3 [u8], _out_len: usize, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait { ... } fn hkdf_sha384_expand<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _ikm: &'life1 [u8], _salt: &'life2 [u8], _info: &'life3 [u8], _out_len: usize, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait { ... } fn hmac_sha256_compute<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, _key: &'life1 [u8], _msg: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<[u8; 32], CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait { ... } fn hmac_sha256_verify<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _key: &'life1 [u8], _msg: &'life2 [u8], _tag: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait { ... } fn hmac_sha384_compute<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, _key: &'life1 [u8], _msg: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<[u8; 48], CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait { ... } fn hmac_sha384_verify<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _key: &'life1 [u8], _msg: &'life2 [u8], _tag: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait { ... } fn sign_typed<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, seed: &'life1 TypedSeed, message: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait { ... } fn verify_typed<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, curve: CurveType, pubkey: &'life1 [u8], message: &'life2 [u8], signature: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait { ... } fn generate_typed_keypair<'life0, 'async_trait>( &'life0 self, curve: CurveType, ) -> Pin<Box<dyn Future<Output = Result<(TypedSeed, Vec<u8>), CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, Self: 'async_trait { ... } fn typed_public_key_from_seed<'life0, 'life1, 'async_trait>( &'life0 self, seed: &'life1 TypedSeed, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>> where 'life0: 'async_trait, 'life1: 'async_trait, Self: 'async_trait { ... }
}
Expand description

Curve-agnostic abstraction for cryptographic operations across target architectures.

All method signatures use primitive Rust types or SecureSeed — no ring-specific types. This ensures domain crates (auths-core, auths-sdk) compile without any ring dependency.

Usage:

use auths_crypto::CryptoProvider;

async fn roundtrip(provider: &dyn CryptoProvider) {
    let (seed, pk) = provider.generate_ed25519_keypair().await.unwrap();
    let sig = provider.sign_ed25519(&seed, b"msg").await.unwrap();
    provider.verify_ed25519(&pk, b"msg", &sig).await.unwrap();
}

Required Methods§

Source

fn verify_ed25519<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, pubkey: &'life1 [u8], message: &'life2 [u8], signature: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait,

Verify an Ed25519 signature against a public key and message.

Source

fn sign_ed25519<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, seed: &'life1 SecureSeed, message: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait,

Sign a message using a raw 32-byte Ed25519 seed.

The provider materializes the internal keypair from the seed on each call. This trades minor CPU overhead for a pure, ring-free domain layer.

Args:

  • seed: Raw 32-byte Ed25519 private key seed.
  • message: The data to sign.

Usage:

let sig = provider.sign_ed25519(&seed, b"hello").await?;
assert_eq!(sig.len(), 64);
Source

fn generate_ed25519_keypair<'life0, 'async_trait>( &'life0 self, ) -> Pin<Box<dyn Future<Output = Result<(SecureSeed, [u8; 32]), CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, Self: 'async_trait,

Generate a fresh Ed25519 keypair.

Returns the raw 32-byte seed and 32-byte public key.

Usage:

let (seed, pubkey) = provider.generate_ed25519_keypair().await?;
assert_eq!(pubkey.len(), 32);
Source

fn ed25519_public_key_from_seed<'life0, 'life1, 'async_trait>( &'life0 self, seed: &'life1 SecureSeed, ) -> Pin<Box<dyn Future<Output = Result<[u8; 32], CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, Self: 'async_trait,

Derive the 32-byte public key from a raw seed.

Args:

  • seed: Raw 32-byte Ed25519 private key seed.

Usage:

let pk = provider.ed25519_public_key_from_seed(&seed).await?;
assert_eq!(pk.len(), 32);

Provided Methods§

Source

fn verify_p256<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _pubkey: &'life1 [u8], _message: &'life2 [u8], _signature: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait,

Verify an ECDSA P-256 signature (r||s, 64 bytes) against a public key (33-byte compressed or 65-byte uncompressed SEC1) and message.

Default impl returns UnsupportedTarget; override in providers that support P-256 (RingCryptoProvider via p256 crate on native, WebCryptoProvider via SubtleCrypto.verify("ECDSA", …) on WASM).

Source

fn sign_p256<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, _seed: &'life1 SecureSeed, _message: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait,

Sign a message using a raw 32-byte P-256 scalar seed. Deterministic ECDSA per RFC 6979. Returns a 64-byte compact r||s signature.

Args:

  • seed: Raw 32-byte P-256 private scalar.
  • message: The data to sign.

Usage:

let sig = provider.sign_p256(&seed, b"hello").await?;
assert_eq!(sig.len(), P256_SIGNATURE_LEN);
Source

fn generate_p256_keypair<'life0, 'async_trait>( &'life0 self, ) -> Pin<Box<dyn Future<Output = Result<(SecureSeed, Vec<u8>), CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, Self: 'async_trait,

Generate a fresh P-256 keypair. Returns the raw 32-byte scalar seed and the 33-byte SEC1 compressed public key.

Usage:

let (seed, pubkey) = provider.generate_p256_keypair().await?;
assert_eq!(pubkey.len(), P256_PUBLIC_KEY_LEN);
Source

fn p256_public_key_from_seed<'life0, 'life1, 'async_trait>( &'life0 self, _seed: &'life1 SecureSeed, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, Self: 'async_trait,

Derive the 33-byte SEC1 compressed P-256 public key from a raw seed.

Args:

  • seed: Raw 32-byte P-256 private scalar.

Usage:

let pk = provider.p256_public_key_from_seed(&seed).await?;
assert_eq!(pk.len(), P256_PUBLIC_KEY_LEN);
Source

fn aead_encrypt<'life0, 'life1, 'life2, 'life3, 'life4, 'async_trait>( &'life0 self, _key: &'life1 [u8; 32], _nonce: &'life2 [u8; 12], _aad: &'life3 [u8], _plaintext: &'life4 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, 'life4: 'async_trait, Self: 'async_trait,

Encrypt plaintext under a 256-bit symmetric key with a 96-bit nonce and Additional Authenticated Data (AAD). Output is ciphertext || tag (tag is 16 bytes for both ChaCha20-Poly1305 and AES-256-GCM).

Algorithm selection is compile-time via Cargo feature:

  • default build: ChaCha20-Poly1305
  • cnsa feature (fn-128.T4): AES-256-GCM

Args:

  • key: 32-byte symmetric key.
  • nonce: 12-byte per-message nonce; MUST NOT repeat under the same key.
  • aad: Additional authenticated data (authenticated but not encrypted).
  • plaintext: Bytes to encrypt.

Usage:

let ct = provider.aead_encrypt(&key, &nonce, b"session:1", b"secret").await?;
Source

fn aead_decrypt<'life0, 'life1, 'life2, 'life3, 'life4, 'async_trait>( &'life0 self, _key: &'life1 [u8; 32], _nonce: &'life2 [u8; 12], _aad: &'life3 [u8], _ciphertext: &'life4 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, 'life4: 'async_trait, Self: 'async_trait,

Decrypt ciphertext (ct || tag) under a 256-bit symmetric key, 96-bit nonce, and matching AAD. Returns the plaintext on success; InvalidSignature on tag mismatch.

Args:

  • key: 32-byte symmetric key.
  • nonce: 12-byte nonce (must match the one used at encryption).
  • aad: Additional authenticated data (must match encryption AAD byte-for-byte).
  • ciphertext: encrypt output (ct || tag).

Usage:

let pt = provider.aead_decrypt(&key, &nonce, b"session:1", &ct).await?;
Source

fn hkdf_sha256_expand<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _ikm: &'life1 [u8], _salt: &'life2 [u8], _info: &'life3 [u8], _out_len: usize, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait,

One-shot HKDF-SHA256 extract-then-expand (RFC 5869).

Args:

  • ikm: Input keying material (secret).
  • salt: Non-secret salt (empty slice is acceptable).
  • info: Domain-separating context tag.
  • out_len: Desired output length in bytes (max 255 × 32 = 8160).

Usage:

let okm = provider.hkdf_sha256_expand(&ikm, &salt, b"my-proto-v1", 32).await?;
Source

fn hkdf_sha384_expand<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _ikm: &'life1 [u8], _salt: &'life2 [u8], _info: &'life3 [u8], _out_len: usize, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait,

One-shot HKDF-SHA384 extract-then-expand. Same shape as [hkdf_sha256_expand] but with SHA-384 as the underlying hash. CNSA 2.0 requires SHA-384 for NSS workloads; default builds may return CryptoError::UnsupportedTarget if SHA-384 is not available.

Max output length is 255 × 48 = 12240 bytes.

Source

fn hmac_sha256_compute<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, _key: &'life1 [u8], _msg: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<[u8; 32], CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait,

Compute HMAC-SHA256 over msg under key. Returns a 32-byte tag.

Args:

  • key: MAC key (any length; HMAC hashes over-long keys internally).
  • msg: Bytes to authenticate.

Usage:

let tag = provider.hmac_sha256_compute(&key, b"GET\n/path\n...").await?;
Source

fn hmac_sha256_verify<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _key: &'life1 [u8], _msg: &'life2 [u8], _tag: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait,

Verify an HMAC-SHA256 tag over msg under key, constant-time.

Returns Ok(()) on match, Err(CryptoError::InvalidSignature) on mismatch. Implementations MUST use a constant-time comparator (subtle::ct_eq, ring::constant_time, or equivalent).

Args:

  • key: MAC key used at compute time.
  • msg: Bytes whose authenticity is being checked.
  • tag: Claimed 32-byte tag.

Usage:

provider.hmac_sha256_verify(&key, &msg, &claimed_tag).await?;
Source

fn hmac_sha384_compute<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, _key: &'life1 [u8], _msg: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<[u8; 48], CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait,

Compute HMAC-SHA384 over msg under key. Returns a 48-byte tag. CNSA counterpart of [hmac_sha256_compute].

Source

fn hmac_sha384_verify<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, _key: &'life1 [u8], _msg: &'life2 [u8], _tag: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait,

Verify an HMAC-SHA384 tag over msg under key, constant-time. CNSA counterpart of [hmac_sha256_verify].

Source

fn sign_typed<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, seed: &'life1 TypedSeed, message: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, Self: 'async_trait,

Sign a message using a curve-carrying seed. Dispatches internally based on seed.curve(); the caller never sees a curve-specific method.

Args:

  • seed: Typed seed carrying its curve tag.
  • message: Bytes to sign.

Usage:

let sig = provider.sign_typed(&typed_seed, message).await?;
Source

fn verify_typed<'life0, 'life1, 'life2, 'life3, 'async_trait>( &'life0 self, curve: CurveType, pubkey: &'life1 [u8], message: &'life2 [u8], signature: &'life3 [u8], ) -> Pin<Box<dyn Future<Output = Result<(), CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait, 'life3: 'async_trait, Self: 'async_trait,

Verify a signature using a curve and raw public-key bytes. Dispatches internally; callers never see a curve-specific method.

Args:

  • curve: The curve the public key belongs to.
  • pubkey: Raw public-key bytes (length validated by the curve-specific primitive).
  • message: Bytes the signature is over.
  • signature: Signature bytes to verify.

Usage:

provider.verify_typed(curve, &pk_bytes, msg, &sig).await?;
Source

fn generate_typed_keypair<'life0, 'async_trait>( &'life0 self, curve: CurveType, ) -> Pin<Box<dyn Future<Output = Result<(TypedSeed, Vec<u8>), CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, Self: 'async_trait,

Generate a keypair for the requested curve. Returns a curve-tagged crate::key_ops::TypedSeed plus raw public-key bytes.

Args:

  • curve: Which curve to generate for.

Usage:

let (typed_seed, pubkey_bytes) = provider.generate_typed_keypair(curve).await?;
Source

fn typed_public_key_from_seed<'life0, 'life1, 'async_trait>( &'life0 self, seed: &'life1 TypedSeed, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CryptoError>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, Self: 'async_trait,

Derive the public key from a curve-tagged seed.

Args:

  • seed: Typed seed.

Usage:

let pk_bytes = provider.typed_public_key_from_seed(&typed_seed).await?;

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors§