Add aws-lc-rs crypto backend with trait-based abstraction by preuss-adam · Pull Request #320 · eclipse-biscuit/biscuit-rust

preuss-adam · 2026-03-02T15:14:51Z

Summary

Add trait-based crypto backend abstraction (Backend, KeyPairImpl, PrivateKeyImpl, PublicKeyImpl, KeySerialization, KeyPemSerialization)
Move existing ed25519-dalek/p256 code into default/ backend implementing the new traits
Add aws-lc-rs backend with Ed25519 and secp256r1 support
Feature-gate backends: default-backend (ed25519-dalek/p256) and awslc-backend (aws-lc-rs)
Remove unused deps: sha2, prost-types, getrandom, ecdsa, elliptic-curve
Upgrade pkcs8 to 0.10.2

Benchmarks

Ed25519 verification (third-party checks)

Blocks	default-backend	awslc-backend	Speedup
0	85us	56us	1.5x
1	108us	78us	1.4x
2	167us	113us	1.5x
3	197us	148us	1.3x
4	241us	185us	1.3x
5	285us	222us	1.3x
6	337us	253us	1.3x
7	374us	289us	1.3x

P256 verification (third-party checks)

Blocks	default-backend	awslc-backend	Speedup
0	406us	76us	5.3x
1	731us	127us	5.8x
2	975us	185us	5.3x
3	1,253us	230us	5.4x
4	1,561us	284us	5.5x
5	1,847us	338us	5.5x
6	2,091us	393us	5.3x
7	2,445us	446us	5.5x

Usage

Default (ed25519-dalek + p256):

biscuit-auth = "6.0.0"

aws-lc-rs backend:

biscuit-auth = { version = "6.0.0", default-features = false, features = ["awslc-backend", "pem", "regex-full", "datalog-macro"] }

- Add traits.rs with Backend, KeyPairImpl, PrivateKeyImpl, PublicKeyImpl - Add KeySerialization and KeyPemSerialization traits - Wire mod traits into crypto module

- Move ed25519.rs and p256.rs into default/ submodule - Implement KeyPairImpl, PrivateKeyImpl, PublicKeyImpl traits on default backend types - Rewrite mod.rs to use DefaultBackend + trait-based type aliases - Update scope.rs Display impl for new PublicKey type

- Implement Ed25519 and secp256r1 PublicKey, PrivateKey, KeyPair - Add AwsLcPublicKey trait with blanket KeyPemSerialization impl - Add P256 point compression/decompression via aws-lc-sys FFI - Add aws-lc-rs, aws-lc-sys deps; upgrade pkcs8 to 0.10.2 - Remove unused deps: sha2, prost-types, getrandom, ecdsa, elliptic-curve - Add tests for sign/verify, serialization, PEM/DER roundtrips

- Make ed25519-dalek, p256, aws-lc-rs, aws-lc-sys optional deps - Add default-backend and awslc-backend feature flags - Add default-backend-pem synthetic feature for dalek pem/pkcs8 - Make pem feature standalone - Gate awslc module with not(default-backend) to prevent conflicting impls - default-backend takes priority when both features are enabled

preuss-adam added 4 commits February 26, 2026 11:48

Add crypto backend traits for abstraction

6920d09

- Add traits.rs with Backend, KeyPairImpl, PrivateKeyImpl, PublicKeyImpl - Add KeySerialization and KeyPemSerialization traits - Wire mod traits into crypto module

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add aws-lc-rs crypto backend with trait-based abstraction#320

Add aws-lc-rs crypto backend with trait-based abstraction#320
preuss-adam wants to merge 4 commits intoeclipse-biscuit:mainfrom
preuss-adam:crypto-traits

preuss-adam commented Mar 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

preuss-adam commented Mar 2, 2026

Summary

Benchmarks

Ed25519 verification (third-party checks)

P256 verification (third-party checks)

Usage

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant