Create a cryptography library that can change its backend at compile time

CHANGELOG.md

@@ -2,6 +2,20 @@
 
 ## Unreleased
 
+### passkey-crypto v0.1.0
+
+A new crate! This crate houses the swappable cryptographic backends for different libraries should you
+wish/need to use a different set of libraries than the default RustCrypto libraries. As always PRs are
+accepted to add new backends should you wish to not use plenty of newtypes to get around the orphan
+rules.
+
+- New `RngBackend` trait which replaces the pre-existing `passkey-types::rand::random_vec` function.
+  Use this new method as `passkey-crypto::rng::Rng::random_vec`.
+
+### passkey-types
+
+- ⚠ BREAKING: The `passkey-types::rand` module no longer exists and is instead replaced by `passkey-crypto::rng`.
+
 ## Passkey v0.5.0
 
 - Migrate project to Rust 2024 edition

Cargo.toml

@@ -3,6 +3,7 @@ members = [
   "passkey",
   "passkey-authenticator",
   "passkey-client",
+  "passkey-crypto",
   "passkey-transports",
   "passkey-types",
   "public-suffix",

passkey-authenticator/Cargo.toml

@@ -17,6 +17,7 @@ workspace = true
 
 [features]
 default = []
+js = ["passkey-crypto/js"]
 testable = ["dep:mockall", "passkey-types/testable"]
 tokio = ["dep:tokio"]
 
@@ -26,8 +27,8 @@ coset = { workspace = true }
 log = "0.4"
 mockall = { version = "0.11", optional = true }
 p256 = { version = "0.13", features = ["arithmetic", "jwk", "pem"] }
+passkey-crypto = { path = "../passkey-crypto", version = "0.1" }
 passkey-types = { path = "../passkey-types", version = "0.5" }
-rand = "0.8"
 tokio = { version = "1", features = ["sync"], optional = true }
 
 [dev-dependencies]

passkey-authenticator/src/authenticator.rs

@@ -1,4 +1,5 @@
 use coset::iana;
+use passkey_crypto::{CryptoBackend, rng::RngBackend};
 use passkey_types::{
     ctap2::{Aaguid, Ctap2Error, Flags},
     webauthn,
@@ -38,8 +39,8 @@ impl CredentialIdLength {
     const MAX: u8 = 64;
 
     /// Generates and returns a uniformly random [CredentialIdLength].
-    pub fn randomized(rng: &mut impl rand::Rng) -> Self {
-        let length = rng.gen_range(Self::MIN..=Self::MAX);
+    pub fn randomized<Rng: RngBackend>() -> Self {
+        let length = Rng::from_range(Self::MIN..=Self::MAX);
         Self(length)
     }
 }
@@ -67,7 +68,7 @@ impl From<CredentialIdLength> for usize {
 }
 
 /// A virtual authenticator with all the necessary state and information.
-pub struct Authenticator<S, U> {
+pub struct Authenticator<S, U, C> {
     /// The authenticator's AAGUID
     aaguid: Aaguid,
     /// Provides credential storage capabilities
@@ -94,15 +95,19 @@ pub struct Authenticator<S, U> {
 
     /// Supported authenticator extensions
     extensions: Extensions,
+
+    /// The cryptographic backend of the Authenticator
+    crypto: C,
 }
 
-impl<S, U> Authenticator<S, U>
+impl<S, U, C> Authenticator<S, U, C>
 where
     S: CredentialStore,
     U: UserValidationMethod,
+    C: CryptoBackend,
 {
     /// Create an authenticator with a known aaguid, a backing storage and a User verification system.
-    pub fn new(aaguid: Aaguid, store: S, user: U) -> Self {
+    pub fn new(aaguid: Aaguid, store: S, user: U, crypto: C) -> Self {
         Self {
             aaguid,
             store,
@@ -116,6 +121,7 @@ where
             make_credentials_with_signature_counter: false,
             credential_id_length: CredentialIdLength::default(),
             extensions: Extensions::default(),
+            crypto,
         }
     }
 

passkey-authenticator/src/authenticator/extensions.rs

@@ -54,7 +54,7 @@ pub(super) struct GetExtensionOutputs {
     pub unsigned: Option<get_assertion::UnsignedExtensionOutputs>,
 }
 
-impl<S, U> Authenticator<S, U> {
+impl<S, U, C> Authenticator<S, U, C> {
     pub(super) fn make_extensions(
         &self,
         request: Option<make_credential::ExtensionInputs>,

passkey-authenticator/src/authenticator/extensions/hmac_secret.rs

@@ -1,5 +1,6 @@
 use std::ops::Not;
 
+use passkey_crypto::rng::{Rng, RngBackend};
 use passkey_types::{
     crypto::hmac_sha256,
     ctap2::{
@@ -9,7 +10,6 @@ use passkey_types::{
             AuthenticatorPrfValues, HmacSecretSaltOrOutput,
         },
     },
-    rand::random_vec,
 };
 
 use crate::Authenticator;
@@ -81,7 +81,7 @@ impl HmacSecretCredentialSupport {
     }
 }
 
-impl<S, U> Authenticator<S, U> {
+impl<S, U, C> Authenticator<S, U, C> {
     pub(super) fn make_hmac_secret(
         &self,
         hmac_secret_request: Option<bool>,
@@ -96,8 +96,8 @@ impl<S, U> Authenticator<S, U> {
         }
 
         Some(passkey_types::StoredHmacSecret {
-            cred_with_uv: random_vec(32),
-            cred_without_uv: config.credentials.without_uv().then(|| random_vec(32)),
+            cred_with_uv: Rng::random_vec(32),
+            cred_without_uv: config.credentials.without_uv().then(|| Rng::random_vec(32)),
         })
     }
 

passkey-authenticator/src/authenticator/extensions/hmac_secret/tests.rs

@@ -1,3 +1,4 @@
+use passkey_crypto::rust_crypto::RustCryptoBackend;
 use passkey_types::{Passkey, ctap2::Aaguid};
 
 use crate::{Authenticator, MockUserValidationMethod};
@@ -19,19 +20,24 @@ pub(crate) fn prf_eval_request(eval: Option<Vec<u8>>) -> AuthenticatorPrfInputs
 
 #[test]
 fn hmac_secret_cycle_works() {
-    let auth = Authenticator::new(Aaguid::new_empty(), None, MockUserValidationMethod::new())
-        .hmac_secret(HmacSecretConfig::new_without_uv());
+    let auth = Authenticator::new(
+        Aaguid::new_empty(),
+        None,
+        MockUserValidationMethod::new(),
+        RustCryptoBackend,
+    )
+    .hmac_secret(HmacSecretConfig::new_without_uv());
 
     let ext = auth
         .make_hmac_secret(Some(true))
         .expect("There should be passkey extensions");
     assert!(ext.cred_without_uv.is_some());
 
-    let passkey = Passkey::mock("sneakernetsend.com".into())
+    let passkey = Passkey::mock("sneakernetsend.com".into(), RustCryptoBackend)
         .hmac_secret(ext)
         .build();
 
-    let request = prf_eval_request(Some(random_vec(64)));
+    let request = prf_eval_request(Some(Rng::random_vec(64)));
 
     let res = auth
         .get_prf(
@@ -66,7 +72,7 @@ fn hmac_secret_cycle_works() {
         .get_prf(
             &passkey.credential_id,
             passkey.extensions.hmac_secret.as_ref(),
-            prf_eval_request(Some(random_vec(64))),
+            prf_eval_request(Some(Rng::random_vec(64))),
             true,
         )
         .expect("Changing input should still succeed")
@@ -98,19 +104,24 @@ fn hmac_secret_cycle_works() {
 
 #[test]
 fn hmac_secret_cycle_works_with_one_cred() {
-    let auth = Authenticator::new(Aaguid::new_empty(), None, MockUserValidationMethod::new())
-        .hmac_secret(HmacSecretConfig::new_with_uv_only());
+    let auth = Authenticator::new(
+        Aaguid::new_empty(),
+        None,
+        MockUserValidationMethod::new(),
+        RustCryptoBackend,
+    )
+    .hmac_secret(HmacSecretConfig::new_with_uv_only());
 
     let ext = auth
         .make_hmac_secret(Some(true))
         .expect("There should be passkey extensions");
     assert!(ext.cred_without_uv.is_none());
 
-    let passkey = Passkey::mock("sneakernetsend.com".into())
+    let passkey = Passkey::mock("sneakernetsend.com".into(), RustCryptoBackend)
         .hmac_secret(ext)
         .build();
 
-    let request = prf_eval_request(Some(random_vec(64)));
+    let request = prf_eval_request(Some(Rng::random_vec(64)));
 
     let res = auth
         .get_prf(
@@ -142,7 +153,7 @@ fn hmac_secret_cycle_works_with_one_cred() {
         .get_prf(
             &passkey.credential_id,
             passkey.extensions.hmac_secret.as_ref(),
-            prf_eval_request(Some(random_vec(64))),
+            prf_eval_request(Some(Rng::random_vec(64))),
             true,
         )
         .expect("Changing input should still succeed")
@@ -155,19 +166,24 @@ fn hmac_secret_cycle_works_with_one_cred() {
 
 #[test]
 fn hmac_secret_cycle_works_with_one_salt() {
-    let auth = Authenticator::new(Aaguid::new_empty(), None, MockUserValidationMethod::new())
-        .hmac_secret(HmacSecretConfig::new_with_uv_only());
+    let auth = Authenticator::new(
+        Aaguid::new_empty(),
+        None,
+        MockUserValidationMethod::new(),
+        RustCryptoBackend,
+    )
+    .hmac_secret(HmacSecretConfig::new_with_uv_only());
 
     let ext = auth
         .make_hmac_secret(Some(true))
         .expect("There should be passkey extensions");
     assert!(ext.cred_without_uv.is_none());
 
-    let passkey = Passkey::mock("sneakernetsend.com".into())
+    let passkey = Passkey::mock("sneakernetsend.com".into(), RustCryptoBackend)
         .hmac_secret(ext)
         .build();
 
-    let mut request = prf_eval_request(Some(random_vec(64)));
+    let mut request = prf_eval_request(Some(Rng::random_vec(64)));
     request.eval = request.eval.map(|e| AuthenticatorPrfValues {
         first: e.first,
         second: None,

passkey-authenticator/src/authenticator/get_assertion.rs

@@ -1,4 +1,5 @@
 use p256::ecdsa::{SigningKey, signature::SignerMut};
+use passkey_crypto::CryptoBackend;
 use passkey_types::{
     Bytes,
     ctap2::{
@@ -15,10 +16,11 @@ use crate::{
     user_validation::UiHint,
 };
 
-impl<S, U> Authenticator<S, U>
+impl<S, U, C> Authenticator<S, U, C>
 where
     S: CredentialStore + Sync,
     U: UserValidationMethod<PasskeyItem = <S as CredentialStore>::PasskeyItem> + Sync,
+    C: CryptoBackend,
 {
     /// This method is used by a host to request cryptographic proof of user authentication as well
     /// as user consent to a given transaction, using a previously generated credential that is