Merge pull request #8 from AriajSarkar/feature/tls-provider

feat(tls): implement rustls CryptoProvider

Author: AriajSarkar

.gitignore

@@ -18,6 +18,8 @@ fuzz/artifacts/
 *~
 .DS_Store
 copilot-instructions.md
+prompts/
+.agent/
 
 # Testing
 *.profraw

CHANGELOG.md

@@ -7,6 +7,62 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.0-pre] - 2026-02-05
+
+### Added
+- **TLS CryptoProvider** - Enterprise-grade `rustls::crypto::CryptoProvider` implementation
+  - Enables crabgraph as the TLS crypto backend for reqwest, hyper-rustls, tokio-rustls, etc.
+  - Eliminates need for external crypto backends (ring/aws-lc-rs)
+  - Feature flag: `tls` or `rustls-provider`
+  
+- **TLS 1.3 Cipher Suites**:
+  - `TLS13_AES_256_GCM_SHA384`
+  - `TLS13_CHACHA20_POLY1305_SHA256`
+  - `TLS13_AES_128_GCM_SHA256`
+
+- **TLS 1.2 Cipher Suites**:
+  - `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
+  - `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
+  - `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
+  - `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
+  - `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
+  - `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
+
+- **Key Exchange Groups**: X25519, P-256 (secp256r1), P-384 (secp384r1)
+
+- **P-256 (secp256r1) Support** - NIST curve implementation (`tls` feature)
+  - `P256KeyPair` - ECDH key exchange
+  - `P256SigningKey` / `P256VerifyingKey` - ECDSA signatures
+  - PKCS#8/SEC1 key import/export
+
+- **P-384 (secp384r1) Support** - NIST curve implementation (`tls` feature)
+  - `P384KeyPair` - ECDH key exchange  
+  - `P384SigningKey` / `P384VerifyingKey` - ECDSA signatures
+  - PKCS#8/SEC1 key import/export
+
+- **SHA-384 Hash Function** - Required for TLS cipher suites
+  - `sha384()` and `sha384_hex()` functions
+  - Enabled with `tls` feature
+
+- **TLS Module** (`src/tls/`) - Complete rustls integration
+  - `tls::provider()` - Get the CryptoProvider
+  - `tls::install_default()` - Install as global default
+  - AEAD encryption for TLS records
+  - Session ticketer with AES-256-GCM
+  - Signature verification for WebPKI
+
+### Changed
+- Test count increased from 313 to **418 tests** (105 new tests for TLS, P-256, P-384)
+
+### Dependencies Added (TLS feature)
+- `rustls` 0.23 - TLS library
+- `p256` 0.13 - P-256/secp256r1 curve
+- `p384` 0.13 - P-384/secp384r1 curve
+- `ecdsa` 0.16 - ECDSA signatures
+- `digest` 0.10 - Hash trait requirements
+- `const-oid` 0.9 - OID constants for signatures
+- `rand` 0.8 - RNG for RSA-PSS signing
+
 ## [0.3.3] - 2025-11-19
 
 ### Changed

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "crabgraph"
-version = "0.3.3"
+version = "0.4.0-pre"
 authors = ["Raj Sarkar <ariajsarkar@gmail.com>"]
 edition = "2021"
 rust-version = "1.70"
@@ -74,6 +74,15 @@ serde = { version = "1.0.228", features = ["derive"], optional = true }
 # Zero-copy optimizations (optional)
 bytes = { version = "1.11.0", optional = true }
 
+# TLS CryptoProvider support (optional)
+rustls = { version = "0.23", default-features = false, features = ["std", "tls12"], optional = true }
+p256 = { version = "0.13", default-features = false, features = ["ecdh", "ecdsa", "std", "pkcs8", "pem"], optional = true }
+p384 = { version = "0.13", default-features = false, features = ["ecdh", "ecdsa", "std", "pkcs8", "pem"], optional = true }
+ecdsa = { version = "0.16", default-features = false, features = ["signing", "verifying", "std", "der"], optional = true }
+digest = { version = "0.10", optional = true }
+const-oid = { version = "0.9", optional = true }
+rand = { version = "0.8", optional = true }
+
 [dev-dependencies]
 criterion = { version = "0.7.0", features = ["html_reports"] }
 proptest = "1.9.0"
@@ -107,6 +116,10 @@ serde-support = ["serde"]
 zero-copy = ["bytes"]
 # WASM support is automatic via target-specific getrandom dependency
 wasm = []
+# TLS CryptoProvider support - implements rustls::crypto::CryptoProvider
+# Note: TLS feature always enables RSA for certificate validation
+tls = ["dep:rustls", "dep:p256", "dep:p384", "dep:ecdsa", "dep:digest", "dep:const-oid", "dep:rand", "rsa-support"]
+rustls-provider = ["tls"]
 
 [[example]]
 name = "rsa_example"

README.md

@@ -19,12 +19,13 @@ For security issues, please see [SECURITY.md](SECURITY.md).
 ## ✨ Features
 
 - 🔒 **Authenticated Encryption (AEAD)**: AES-GCM, ChaCha20-Poly1305
-- � **Streaming Encryption**: Process large files chunk-by-chunk with STREAM construction
-- �🔑 **Key Derivation**: PBKDF2, Argon2, HKDF
-- ✍️ **Digital Signatures**: Ed25519, (optional: RSA-PSS)
-- 🤝 **Key Exchange**: X25519 (Elliptic Curve Diffie-Hellman)
+- 📦 **Streaming Encryption**: Process large files chunk-by-chunk with STREAM construction
+- 🔑 **Key Derivation**: PBKDF2, Argon2, HKDF
+- ✍️ **Digital Signatures**: Ed25519, ECDSA (P-256, P-384), (optional: RSA-PSS)
+- 🤝 **Key Exchange**: X25519, P-256, P-384 (Elliptic Curve Diffie-Hellman)
 - 🔐 **Message Authentication**: HMAC (SHA-256, SHA-512)
-- #️⃣ **Hashing**: SHA-256, SHA-512, (optional: SHA-3, BLAKE2)
+- #️⃣ **Hashing**: SHA-256, SHA-384, SHA-512, (optional: SHA-3, BLAKE2)
+- 🌐 **TLS Support**: rustls CryptoProvider for reqwest, hyper-rustls, tokio-rustls
 - 🔒 **Optional RSA Support**: RSA-OAEP encryption & RSA-PSS signatures (⚠️ opt-in only, not recommended)
 - 🎲 **Secure Random**: Cryptographically secure RNG wrapper
 - 🧹 **Memory Safety**: Automatic zeroization of sensitive data
@@ -266,8 +267,36 @@ cargo audit
 - `rsa-support`: RSA encryption/signatures (⚠️ **NOT enabled by default** - opt-in only, has known vulnerability RUSTSEC-2023-0071)
 - `serde-support`: Serialization for keys and ciphertexts
 - `zero-copy`: `bytes` crate integration for high-performance scenarios
+- `tls`: TLS CryptoProvider for rustls (includes P-256, P-384, SHA-384)
+- `rustls-provider`: Alias for `tls` feature
 - `wasm`: WebAssembly support (⚠️ **Temporarily unavailable in v0.3.3** - see CHANGELOG for details)
 
+### TLS Support (New in v0.4.0)
+
+Use crabgraph as the TLS crypto backend for reqwest, hyper-rustls, and other rustls-based libraries:
+
+```toml
+[dependencies]
+crabgraph = { version = "0.4.0-pre", features = ["tls"] }
+```
+
+```rust
+use crabgraph::tls;
+
+fn main() {
+    // Install crabgraph as the default TLS provider (call once at startup)
+    tls::install_default();
+    
+    // Now all rustls-based libraries will use crabgraph
+    // let client = reqwest::Client::new();
+}
+```
+
+**Supported Cipher Suites:**
+- TLS 1.3: AES-256-GCM, AES-128-GCM, ChaCha20-Poly1305
+- TLS 1.2: ECDHE-ECDSA/RSA with AES-GCM and ChaCha20-Poly1305
+- Key Exchange: X25519, P-256, P-384
+
 ### Enabling RSA Support
 
 RSA is **not included by default** due to security concerns. To use RSA:

src/asym/mod.rs

@@ -8,8 +8,24 @@ pub mod x25519;
 #[cfg(feature = "rsa-support")]
 pub mod rsa;
 
+#[cfg(feature = "tls")]
+pub mod p256;
+
+#[cfg(feature = "tls")]
+pub mod p384;
+
 pub use ed25519::{Ed25519KeyPair, Ed25519PublicKey, Ed25519Signature};
 pub use x25519::{X25519KeyPair, X25519PublicKey, X25519SharedSecret};
 
 #[cfg(feature = "rsa-support")]
 pub use rsa::{RsaKeyPair, RsaPublicKey, RsaSignature};
+
+#[cfg(feature = "tls")]
+pub use p256::{
+    P256KeyPair, P256PublicKey, P256SharedSecret, P256Signature, P256SigningKey, P256VerifyingKey,
+};
+
+#[cfg(feature = "tls")]
+pub use p384::{
+    P384KeyPair, P384PublicKey, P384SharedSecret, P384Signature, P384SigningKey, P384VerifyingKey,
+};