cf-modkit 0.6.2

Core ModKit library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

use std::sync::Once;

static INSTALLED: Once = Once::new();

/// Install the FIPS-validated AWS-LC crypto provider as the process-wide default.
///
/// This **must** be called before any TLS configuration, HTTP client, database
/// connection, or JWT operation is created. It sets the global [`rustls::crypto::CryptoProvider`]
/// that all downstream consumers (rustls, sqlx, jsonwebtoken, pingora, etc.) will use.
///
/// Outputs to stderr (always visible, even before tracing is initialized) and
/// to `tracing::info!` (visible in structured logs if a subscriber is active).
///
/// # Process exit
///
/// Exits with code 1 if another crypto provider has already been installed.
pub fn init_fips_crypto_provider() {
    INSTALLED.call_once(|| {
        if let Err(_existing) = rustls::crypto::default_fips_provider().install_default() {
            eprintln!(
                "[FIPS] FATAL: failed to install FIPS crypto provider - another provider is already installed"
            );
            std::process::exit(1);
        }

        eprintln!("[FIPS] FIPS-140-3 crypto provider installed (AWS-LC FIPS module)");
        tracing::info!("FIPS-140-3 crypto provider installed (AWS-LC FIPS module)");
    });
}