]> git.bitcoin.ninja Git - dnssec-prover/commit
projects / dnssec-prover / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9c6775c) | patch
Swap `ring` for our own in-crate ECDSA validator
authorMatt Corallo <git@bluematt.me>
Mon, 4 Mar 2024 03:22:08 +0000 (03:22 +0000)
committerMatt Corallo <git@bluematt.me>
Wed, 3 Apr 2024 09:15:18 +0000 (09:15 +0000)
commitc9fd1919a8cf2bf5e9d0d570b99f58d83854f990
tree51b55d5bf17f8049f9c5969be654eeddcd0c6cdetree | snapshot
parent9c6775ca84026a2139d1845f061670f581088fa3commit | diff
Swap `ring` for our own in-crate ECDSA validator

While `ring` is great, it struggles with platform support and has a
fairly involved dependency tree due to its reliance on C backends.

Further, while the `RustCrypto` org tries to stick to Rust, in
doing so it takes on more (unnecessary) dependencies and has a
particularly unusable MSRV policy. Finally, its contributor base
has historically not been particularly friendly.

Thus, sadly, there's not really a good option for doing ECDSA (non-
secp256k1) validation using a third-party crate.

Instead, we go our own way here, adding an in-crate ECDSA
validator over secp{256,384}r1.

This also adds a new bench, showing our secp256r1 validation is,
sadly, something like 50x slower than OpenSSL.
Cargo.toml diff | blob | history
bench/benches/bench.rs diff | blob | history
src/crypto/ec.rs [new file with mode: 0644] blob
src/crypto/mod.rs diff | blob | history
src/crypto/secp256r1.rs [new file with mode: 0644] blob
src/crypto/secp384r1.rs [new file with mode: 0644] blob
src/validation.rs diff | blob | history
Generates and validates RFC 9102-formatted DNSSEC proofs