faysou opened a new pull request, #576:
URL: https://github.com/apache/arrow-rs-object-store/pull/576
## Cryptographic backend abstraction
This PR introduces support for selecting between `ring` and `aws-lc-rs` as
cryptographic backends at compile time, providing users with flexibility in
their cryptographic library choice while maintaining API compatibility.
### Changes
#### Feature flags and dependencies
- Added `aws-lc-rs` as an optional dependency with feature flag `aws-lc`.
- Updated `Cargo.toml` to support both `ring` and `aws-lc-rs` backends:
- `ring` remains the default backend (included in `default` features).
- New feature flags: `azure-aws-lc`, `gcp-aws-lc`, `aws-aws-lc`,
`http-aws-lc` for using `aws-lc-rs` with specific cloud providers.
- Features `ring` and `aws-lc` are mutually exclusive.
- Updated `reqwest` TLS configuration from `rustls-tls-native-roots` to
`rustls-tls-webpki-roots-no-provider` to support both backends.
#### Cryptographic abstraction layer
- Created new `crypto_backend.rs` module that provides a unified interface
over `ring` and `aws-lc-rs`.
- The module re-exports the chosen backend as `crypto`, allowing existing
code to work with either backend transparently.
- Added `rsa_key_modulus_len()` helper function to abstract API differences
between `ring` and `aws-lc-rs` for RSA key operations.
#### Code updates
- Updated AWS client (`src/aws/client.rs`) to use the abstracted crypto
backend instead of direct `ring` imports.
- Updated GCP credential handling (`src/gcp/credential.rs`) to use the
abstracted crypto backend and the new `rsa_key_modulus_len()` helper.
- Updated utility functions (`src/util.rs`) for HMAC-SHA256 and SHA256
digest operations to use the abstracted backend.
- Updated all feature gate conditions throughout the codebase to include the
new `*-aws-lc` feature variants:
- `builder.rs`: Updated feature gates for HTTP request building methods.
- `header.rs`: Updated feature gates for header parsing functions.
- `body.rs`: Updated feature gates for JSON deserialization.
- `mod.rs`: Updated feature gates for cloud provider modules and client
options.
- `retry.rs`: Updated feature gates for retry configuration.
- `s3.rs`: Updated feature gates for S3-specific types.
- `token.rs`: Updated feature gates for token caching.
- `lib.rs`: Updated feature gates for module exports.
### Design decisions
- **API compatibility**: Since `aws-lc-rs` is API-compatible with `ring` for
most operations, a simple re-export pattern was used rather than a trait-based
abstraction, minimizing code complexity.
- **Compile-time selection**: The backend choice is made at compile time via
feature flags, avoiding runtime overhead and ensuring type safety.
- **Mutual exclusivity**: The `ring` and `aws-lc` features are mutually
exclusive to prevent conflicts and ensure clear backend selection.
- **Backward compatibility**: The default configuration continues to use
`ring`, ensuring existing users are not affected unless they explicitly opt
into `aws-lc-rs`.
### Testing considerations
- All existing tests should continue to pass with the default `ring` backend.
- New feature flag combinations (`*-aws-lc`) should be tested to ensure
proper compilation and functionality with the `aws-lc-rs` backend.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
