On Thu, Sep 1, 2016 at 10:43 AM, Jack Moffitt <j...@metajack.im> wrote:
> mozpkix was the proposal, which Brian is also an author of. Brian, why > exactly is mozpkix hard to wrap? Specific examples may help us > understand Rust / C++ limitations. If that library is hard enough to > wrap, then it might be less work to add whatever is needed to webpki. > However, wrapping a C++ lib and implementing functionality may require > quite different skillsets. > When we developed mozilla::pkix we had two use cases that were quite different from each other: signed packaged apps (for B2G) and extensions, and TLS. Consequently, mozilla::pkix is actually more of a framework than a standalone certificate validation subsystem, where the differences between these two use-cases were abstracted away into something called TrustDomain[1]. Firefox implements TrustDomain two different ways, using code that is dependent on Gecko stuff. Servo would almost definitely need its own implementation of TrustDomain. The details of the TrustDomain interface are security-critical so you'd probably need to have domain experts help with the implementation of it. In order to use mozilla::pkix from Rust, one would need to wrap the C++ mozilla::pkix API in a Rust API, and then implement in C++ a new TrustDomain implementation that presumably forwards calls to new Rust code that mirrors the TrustDomain class with a Rust analog. The TrustDomain interface requires implementing many callbacks that require would translating types C++ <-> Rust. As a result, when I started doing a Rust wrapper around mozilla::pkix, I found that the boilerplate for translating C++ <-> Rust was overwhelming and I became quite unhappy with the code. In particular, the point of using Rust is to make code less error-prone, but these wrappers were themselves adding lots of potential for errors. Keep in mind that when we decided to do mozilla::pkix, we optimized it as much as possible for C++. I think the idea that it has a "C-like" API is perhaps due to a misunderstanding. It would be a significant amount of work to create a real C API around it, because it is so optimized for use from C++. I think this is why, after two years, mozilla::pkix hasn't been integrated into NSS, even though Mozilla had promised the NSS team that it would do so: using it from non-C++ code ends up being a lot more work than it initially appears. Also, I expect it would be quite a burden on the current mozilla::pkix maintainers to keep the Rust bindings in sync with whatever changes they make to the internals of mozilla::pkix. Because I had implemented most of mozilla::pkix, and because I did so that used relatively modern C++ features like closures, I felt confident that I could make a new Rust implementation of the same functionality that was optimized for use by non-experts. I felt (and feel) that this is more useful to the Rust community than what we did in mozilla::pkix, where it was assumed that the users would be experts in certificate validation. Thus, wrapping mozilla::pkix requires both Rust and certificate validation expertise, just like extending webpki would. I do not think, for example, that creating a safe and full-featured wrapper around mozilla::pkix would require less total effort than to add OCSP and the other "missing" features to webpki. Note that mozilla::pkix makes extensive use of what Rust calls slices, to avoid copying data. My primary motivation for creating webpki was to solve the fundamental limitation that we had in mozilla::pkix: Although we were very careful, the C++ compiler doesn't have a borrow checker to verify that the slicing is safe from use-after-free. This, combined with the much-simplified end-user API [2], are the primary technical advantages of webpki over mozilla::pkix as webpki exists today. Looking forward to next year, I feel much more comfortable adding advanced multi-threading and other features to webpki than I would to mozilla::pkix. [1] http://hg.mozilla.org/mozilla-central/file/990aca9e4d11/security/pkix/include/pkix/pkixtypes.h#l169 [2] https://briansmith.org/rustdoc/webpki/struct.EndEntityCert.html Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
