Skip to content

refactor(rust_crypto): move RSA backend to rsa 0.10.0-rc.17#502

Open
EffortlessSteven wants to merge 3 commits intoKeats:masterfrom
EffortlessSteven:codex/rust-crypto-rsa-010
Open

refactor(rust_crypto): move RSA backend to rsa 0.10.0-rc.17#502
EffortlessSteven wants to merge 3 commits intoKeats:masterfrom
EffortlessSteven:codex/rust-crypto-rsa-010

Conversation

@EffortlessSteven
Copy link
Copy Markdown

@EffortlessSteven EffortlessSteven commented Apr 15, 2026

Addresses #495.

I kept this to the rust_crypto RSA seam.

Scope

  • rust_crypto backend only
  • no public API changes
  • no aws_lc_rs changes
  • no crate-wide signature 3 migration
  • no crate-wide sha2 0.11 migration

Dependency note

  • This uses the currently published crates.io 0.10 line for RSA, which is rsa 0.10.0-rc.17.

Review map

  • Cargo.toml
  • src/crypto/rust_crypto/rsa.rs
  • src/crypto/rust_crypto/ecdsa.rs
  • src/crypto/rust_crypto/mod.rs

What changed

  • replace wrapper-based RSA signing with explicit prehash + low-level key operations
  • keep verification on RsaPublicKey::verify(...)
  • move RSA modulus/exponent handling to BoxedUint
  • decouple ECDSA from rsa::pkcs8
  • preserve minimal big-endian n/e extraction for DecodingKey::from_rsa_components and JWK generation
  • add a wasm-target-only getrandom 0.4 alias so the existing wasm-pack commands keep working

Existing coverage already exercising the touched paths

  • PEM PKCS#1 and PKCS#8 RSA round-trips
  • DER round-trips
  • modulus/exponent decode via DecodingKey::from_rsa_components
  • JWK decode
  • JWK generation from an encoding key

Validated locally

  • cargo fmt --check
  • cargo clippy --all-targets --features rust_crypto -- -D warnings
  • cargo clippy --all-targets --features aws_lc_rs -- -D warnings
  • cargo test --features rust_crypto
  • cargo test --no-default-features --features rust_crypto
  • cargo test --features aws_lc_rs
  • cargo test --no-default-features --features aws_lc_rs
  • wasm-pack test --node --features rust_crypto,getrandom/js
  • wasm-pack test --node --no-default-features --features rust_crypto,getrandom/js

Non-goal

  • this does not claim to fully resolve Marvin / RUSTSEC-2023-0071

@arckoor
Copy link
Copy Markdown
Collaborator

arckoor commented Apr 15, 2026

Let's not depend on a rc version
Once rsa 0.10 releases, cargo should be free to pull in that version, despite us specifying a lower version in the crate (since they seem to be following semver, 0.10 is a patch release, and cargo is free to resolve it. If it has relevant breaking changes, we'll resolve them then)

@EffortlessSteven
Copy link
Copy Markdown
Author

EffortlessSteven commented Apr 15, 2026

Absolutely. Leaving the RC alone makes sense.

This shook out the rust_crypto-side changes ahead of stable 0.10 and surfaced the wasm/getrandom wrinkle.

Happy to revisit once 0.10.0 is out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EffortlessSteven @arckoor