oxicrypto_adapter_aws_lc/lib.rs
1//! `oxicrypto-adapter-aws-lc` — OxiCrypto adapter backed by `aws-lc-rs`.
2//!
3//! This crate exposes no types by default. Enable the `aws-lc` feature to
4//! activate the AEAD, signature, hash, HKDF, and HMAC implementations backed
5//! by the FIPS-validated `aws-lc-rs` library.
6//!
7//! # Feature flags
8//!
9//! | Flag | Default | Description |
10//! |------|---------|-------------|
11//! | `aws-lc` | off | Enable aws-lc-rs backed implementations. |
12//!
13//! # Example
14//!
15//! ```rust
16//! # #[cfg(feature = "aws-lc")]
17//! # {
18//! use oxicrypto_adapter_aws_lc::aead::AwsLcAead;
19//! use oxicrypto_core::Aead;
20//!
21//! let cipher = AwsLcAead::aes256_gcm();
22//! let key = vec![0u8; cipher.key_len()];
23//! let nonce = vec![0u8; cipher.nonce_len()];
24//! let mut ct = vec![0u8; 0 + cipher.tag_len()];
25//! cipher.seal(&key, &nonce, b"", b"", &mut ct).expect("seal ok");
26//! # }
27//! ```
28
29#[cfg(feature = "aws-lc")]
30pub mod aead;
31
32#[cfg(feature = "aws-lc")]
33pub mod hash;
34
35#[cfg(feature = "aws-lc")]
36pub mod hkdf;
37
38#[cfg(feature = "aws-lc")]
39pub mod mac;
40
41#[cfg(feature = "aws-lc")]
42pub mod sign;
43
44// ── AwsLcCryptoProvider ───────────────────────────────────────────────────────
45
46/// Aggregate of all `aws-lc-rs` backed algorithm implementations.
47///
48/// Provides factory methods for all supported primitives. Useful for
49/// dependency injection where you want to pass an aws-lc-rs provider
50/// without importing individual types.
51#[cfg(feature = "aws-lc")]
52pub struct AwsLcCryptoProvider;
53
54#[cfg(feature = "aws-lc")]
55impl AwsLcCryptoProvider {
56 // ── AEAD ──────────────────────────────────────────────────────────────────
57
58 /// AES-128-GCM backed by aws-lc-rs.
59 #[must_use]
60 pub fn aes128_gcm() -> aead::AwsLcAead {
61 aead::AwsLcAead::aes128_gcm()
62 }
63
64 /// AES-256-GCM backed by aws-lc-rs.
65 #[must_use]
66 pub fn aes256_gcm() -> aead::AwsLcAead {
67 aead::AwsLcAead::aes256_gcm()
68 }
69
70 /// AES-256-GCM-SIV backed by aws-lc-rs.
71 #[must_use]
72 pub fn aes256_gcm_siv() -> aead::AwsLcAead {
73 aead::AwsLcAead::aes256_gcm_siv()
74 }
75
76 /// ChaCha20-Poly1305 backed by aws-lc-rs.
77 #[must_use]
78 pub fn chacha20_poly1305() -> aead::AwsLcAead {
79 aead::AwsLcAead::chacha20_poly1305()
80 }
81
82 // ── Hash ──────────────────────────────────────────────────────────────────
83
84 /// SHA-256 backed by aws-lc-rs.
85 #[must_use]
86 pub fn sha256() -> hash::AwsLcSha256 {
87 hash::AwsLcSha256
88 }
89
90 /// SHA-384 backed by aws-lc-rs.
91 #[must_use]
92 pub fn sha384() -> hash::AwsLcSha384 {
93 hash::AwsLcSha384
94 }
95
96 /// SHA-512 backed by aws-lc-rs.
97 #[must_use]
98 pub fn sha512() -> hash::AwsLcSha512 {
99 hash::AwsLcSha512
100 }
101
102 // ── Signer / Verifier ─────────────────────────────────────────────────────
103
104 /// Ed25519 signer backed by aws-lc-rs.
105 #[must_use]
106 pub fn ed25519_signer() -> sign::AwsLcEd25519Signer {
107 sign::AwsLcEd25519Signer
108 }
109
110 /// Ed25519 verifier backed by aws-lc-rs.
111 #[must_use]
112 pub fn ed25519_verifier() -> sign::AwsLcEd25519Verifier {
113 sign::AwsLcEd25519Verifier
114 }
115
116 /// ECDSA-P256-SHA256 signer backed by aws-lc-rs.
117 #[must_use]
118 pub fn ecdsa_p256_signer() -> sign::AwsLcEcdsaP256Signer {
119 sign::AwsLcEcdsaP256Signer
120 }
121
122 /// ECDSA-P256-SHA256 verifier backed by aws-lc-rs.
123 #[must_use]
124 pub fn ecdsa_p256_verifier() -> sign::AwsLcEcdsaP256Verifier {
125 sign::AwsLcEcdsaP256Verifier
126 }
127
128 /// ECDSA-P384-SHA384 signer backed by aws-lc-rs.
129 #[must_use]
130 pub fn ecdsa_p384_signer() -> sign::AwsLcEcdsaP384Signer {
131 sign::AwsLcEcdsaP384Signer
132 }
133
134 /// ECDSA-P384-SHA384 verifier backed by aws-lc-rs.
135 #[must_use]
136 pub fn ecdsa_p384_verifier() -> sign::AwsLcEcdsaP384Verifier {
137 sign::AwsLcEcdsaP384Verifier
138 }
139
140 /// RSA-PKCS1-SHA256 signer backed by aws-lc-rs.
141 #[must_use]
142 pub fn rsa_pkcs1_sha256_signer() -> sign::AwsLcRsaPkcs1Sha256Signer {
143 sign::AwsLcRsaPkcs1Sha256Signer
144 }
145
146 /// RSA-PSS-SHA256 signer backed by aws-lc-rs.
147 #[must_use]
148 pub fn rsa_pss_sha256_signer() -> sign::AwsLcRsaPssSha256Signer {
149 sign::AwsLcRsaPssSha256Signer
150 }
151
152 /// RSA-PKCS1-SHA256 verifier backed by aws-lc-rs.
153 #[must_use]
154 pub fn rsa_pkcs1_sha256_verifier() -> sign::AwsLcRsaPkcs1Sha256Verifier {
155 sign::AwsLcRsaPkcs1Sha256Verifier
156 }
157
158 /// RSA-PSS-SHA256 verifier backed by aws-lc-rs.
159 #[must_use]
160 pub fn rsa_pss_sha256_verifier() -> sign::AwsLcRsaPssSha256Verifier {
161 sign::AwsLcRsaPssSha256Verifier
162 }
163
164 // ── KDF ───────────────────────────────────────────────────────────────────
165
166 /// HKDF-SHA-256 backed by aws-lc-rs.
167 #[must_use]
168 pub fn hkdf_sha256() -> hkdf::AwsLcHkdf {
169 hkdf::AwsLcHkdf::sha256()
170 }
171
172 /// HKDF-SHA-384 backed by aws-lc-rs.
173 #[must_use]
174 pub fn hkdf_sha384() -> hkdf::AwsLcHkdf {
175 hkdf::AwsLcHkdf::sha384()
176 }
177
178 /// HKDF-SHA-512 backed by aws-lc-rs.
179 #[must_use]
180 pub fn hkdf_sha512() -> hkdf::AwsLcHkdf {
181 hkdf::AwsLcHkdf::sha512()
182 }
183
184 // ── MAC ───────────────────────────────────────────────────────────────────
185
186 /// HMAC-SHA-256 backed by aws-lc-rs.
187 #[must_use]
188 pub fn hmac_sha256() -> mac::AwsLcHmac {
189 mac::AwsLcHmac::sha256()
190 }
191
192 /// HMAC-SHA-384 backed by aws-lc-rs.
193 #[must_use]
194 pub fn hmac_sha384() -> mac::AwsLcHmac {
195 mac::AwsLcHmac::sha384()
196 }
197
198 /// HMAC-SHA-512 backed by aws-lc-rs.
199 #[must_use]
200 pub fn hmac_sha512() -> mac::AwsLcHmac {
201 mac::AwsLcHmac::sha512()
202 }
203}