implement an OpenSSL provider -- P256

tbrezot · tbrezot · commit eb95f9cfb051 · 2026-01-23T14:52:16.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,5 +1,10 @@
 [workspace]
-members = ["crates/core", "crates/rust_nist_ec", "crates/rust_curve25519"]
+members = [
+  "crates/core",
+  "crates/openssl_provider",
+  "crates/rust_nist_ec",
+  "crates/rust_curve25519"
+]
 resolver = "2"
 
 [workspace.package]
diff --git a/crates/core/src/error.rs b/crates/core/src/error.rs
@@ -22,7 +22,6 @@ pub enum CryptoCoreError {
         given: usize,
         expected: usize,
     },
-    #[cfg(any(feature = "nist_curves", feature = "curve25519"))]
     EllipticCurveError(String),
     EncryptionError,
     GenericDeserializationError(String),
@@ -85,7 +84,6 @@ impl Display for CryptoCoreError {
                 f,
                 "wrong size when parsing bytes: {given} given should be {expected}"
             ),
-            #[cfg(any(feature = "nist_curves", feature = "curve25519"))]
             CryptoCoreError::EllipticCurveError(e) => write!(f, "NIST elliptic curve error: {e}"),
             CryptoCoreError::EncryptionError => write!(f, "error during encryption"),
             CryptoCoreError::GenericDeserializationError(err) => {
diff --git a/crates/openssl_provider/Cargo.toml b/crates/openssl_provider/Cargo.toml
@@ -0,0 +1,24 @@
+[package]
+name = "cosmian_openssl_provider"
+version = "1.0.0"
+description = "OpenSSL cryptographic provider."
+
+authors = { workspace = true }
+categories = { workspace = true }
+edition = { workspace = true }
+keywords = { workspace = true }
+license = { workspace = true }
+repository = { workspace = true }
+
+[lib]
+crate-type = ["lib", "staticlib"]
+name = "cosmian_openssl_provider"
+path = "src/lib.rs"
+
+[dependencies]
+cosmian_crypto_core = { path = "../core", version = "10.4", default-features = false }
+openssl = { version = "0.10", default-features = false }
+zeroize = { workspace = true }
+
+[dev-dependencies]
+cosmian_crypto_core = { path = "../core", version = "10.4", default-features = false, features = ["sha3"] }
diff --git a/crates/openssl_provider/src/kem.rs b/crates/openssl_provider/src/kem.rs
@@ -0,0 +1,109 @@
+use crate::FFIMonad;
+use cosmian_crypto_core::{
+    bytes_ser_de::Serializable,
+    reexport::rand_core::CryptoRngCore,
+    traits::{CyclicGroup, Field, KDF, KEM, NIKE},
+    CryptoCoreError, Sampling, SymmetricKey,
+};
+use std::{
+    marker::PhantomData,
+    ops::{Add, Div, Mul, Neg, Sub},
+};
+use zeroize::ZeroizeOnDrop;
+
+#[derive(Debug, Clone, Copy, Default)]
+pub struct MonadicKEM<const KEY_LENGTH: usize, Group: CyclicGroup, Kdf: KDF<KEY_LENGTH>>
+where
+    Group::Element: FFIMonad,
+    Group::Multiplicity: FFIMonad,
+    for<'a> &'a Group::Element: Neg<Output = Group::Element>,
+    for<'a, 'b> &'a Group::Element: Add<&'b Group::Element, Output = Group::Element>,
+    for<'a, 'b> &'a Group::Element: Sub<&'b Group::Element, Output = Group::Element>,
+    for<'a, 'b> &'a Group::Element: Mul<Group::Multiplicity, Output = Group::Element>,
+    for<'a, 'b> &'a Group::Element: Mul<&'b Group::Multiplicity, Output = Group::Element>,
+    for<'a> &'a Group::Multiplicity: Neg<Output = Group::Multiplicity>,
+    for<'a, 'b> &'a Group::Multiplicity: Add<&'b Group::Multiplicity, Output = Group::Multiplicity>,
+    for<'a, 'b> &'a Group::Multiplicity: Sub<&'b Group::Multiplicity, Output = Group::Multiplicity>,
+    for<'a, 'b> &'a Group::Multiplicity: Mul<&'b Group::Multiplicity, Output = Group::Multiplicity>,
+    for<'a, 'b> &'a Group::Multiplicity: Div<
+        &'b Group::Multiplicity,
+        Output = Result<Group::Multiplicity, <Group::Multiplicity as Field>::InvError>,
+    >,
+{
+    data: PhantomData<(Group, Kdf)>,
+}
+
+impl<const KEY_LENGTH: usize, Group: CyclicGroup, Kdf: KDF<KEY_LENGTH>> KEM<KEY_LENGTH>
+    for MonadicKEM<KEY_LENGTH, Group, Kdf>
+where
+    Group::Element: FFIMonad + Serializable + ZeroizeOnDrop,
+    Group::Multiplicity: FFIMonad + Sampling + ZeroizeOnDrop,
+    for<'a> &'a Group::Element: Neg<Output = Group::Element>,
+    for<'a, 'b> &'a Group::Element: Add<&'b Group::Element, Output = Group::Element>,
+    for<'a, 'b> &'a Group::Element: Sub<&'b Group::Element, Output = Group::Element>,
+    for<'a, 'b> &'a Group::Element: Mul<Group::Multiplicity, Output = Group::Element>,
+    for<'a, 'b> &'a Group::Element: Mul<&'b Group::Multiplicity, Output = Group::Element>,
+    for<'a> &'a Group::Multiplicity: Neg<Output = Group::Multiplicity>,
+    for<'a, 'b> &'a Group::Multiplicity: Add<&'b Group::Multiplicity, Output = Group::Multiplicity>,
+    for<'a, 'b> &'a Group::Multiplicity: Sub<&'b Group::Multiplicity, Output = Group::Multiplicity>,
+    for<'a, 'b> &'a Group::Multiplicity: Mul<&'b Group::Multiplicity, Output = Group::Multiplicity>,
+    for<'a, 'b> &'a Group::Multiplicity: Div<
+        &'b Group::Multiplicity,
+        Output = Result<Group::Multiplicity, <Group::Multiplicity as Field>::InvError>,
+    >,
+{
+    type Encapsulation = Group::Element;
+
+    type EncapsulationKey = Group::Element;
+
+    type DecapsulationKey = Group::Multiplicity;
+
+    type Error = CryptoCoreError;
+
+    fn keygen(
+        rng: &mut impl CryptoRngCore,
+    ) -> Result<(Self::DecapsulationKey, Self::EncapsulationKey), Self::Error> {
+        let (sk, pk) = <Group as NIKE>::keygen(rng)?;
+        let sk = sk.manage_error(|e| {
+            CryptoCoreError::EllipticCurveError(format!("secret key is in error state: {e}"))
+        })?;
+        let pk = pk.manage_error(|e| {
+            CryptoCoreError::EllipticCurveError(format!("public key is in error state: {e}"))
+        })?;
+        Ok((sk, pk))
+    }
+
+    fn enc(
+        ek: &Self::EncapsulationKey,
+        rng: &mut impl CryptoRngCore,
+    ) -> Result<(SymmetricKey<KEY_LENGTH>, Self::Encapsulation), Self::Error> {
+        let (sk, pk) = <Group as NIKE>::keygen(rng)?;
+        let ss = (ek * sk).manage_error(|e| {
+            CryptoCoreError::EllipticCurveError(format!("shared secret is in error state: {e}"))
+        })?;
+        let pk = pk.manage_error(|e| {
+            CryptoCoreError::EllipticCurveError(format!("public key is in error state: {e}"))
+        })?;
+        let key = Kdf::derive(
+            &ss.serialize()
+                .map_err(|e| CryptoCoreError::GenericDeserializationError(e.to_string()))?,
+            &[],
+        );
+        Ok((key, pk))
+    }
+
+    fn dec(
+        dk: &Self::DecapsulationKey,
+        enc: &Self::Encapsulation,
+    ) -> Result<SymmetricKey<KEY_LENGTH>, Self::Error> {
+        let ss = <Group as NIKE>::shared_secret(dk, enc)?.manage_error(|e| {
+            CryptoCoreError::EllipticCurveError(format!("shared secret is in error state: {e}"))
+        })?;
+        let key = Kdf::derive(
+            &ss.serialize()
+                .map_err(|e| CryptoCoreError::GenericDeserializationError(e.to_string()))?,
+            &[],
+        );
+        Ok(key)
+    }
+}
diff --git a/crates/openssl_provider/src/lib.rs b/crates/openssl_provider/src/lib.rs
@@ -0,0 +1,37 @@
+//! This crate implements a cryptographic provider on top of the OpenSSL
+//! bindings. Those bindings do not fit well with the arithmetic traits defined
+//! in CryptoCore: since all operations are performed through FFI, the all --
+//! even those as simple as returning the 0 -- are fallible.
+//!
+//! Instead of modifying all arithmetic traits, which would imply the need to
+//! unwrap upon every single arithmetic operation, this provider has been design
+//! in a monadic style: elements are FFI monads that can either be a valid
+//! object or in an error state (the `openssl::ErrorStack` error type) and
+//! comply with arithmetic traits. The only quirk is that the caller is then
+//! required to check the monad state at some point, which leaks an internal
+//! detail.
+//!
+//! To ease its usage, a dedicated KEM is implemented which performs the check
+//! of the monad state when necessary (using the `GenericKEM` from CryptoCore
+//! would return a monad instead of the proper keys or encapsulation).
+
+pub mod kem;
+pub mod p256;
+
+/// An FFI monad is either in an OK or error state.
+pub trait FFIMonad: Sized {
+    /// Type of the error state.
+    type Error: std::error::Error;
+
+    /// Return true if this monad is in its OK state.
+    fn is_ok(&self) -> bool;
+
+    /// Returns true if this monad is in its error state.
+    fn is_err(&self) -> bool {
+        !self.is_ok()
+    }
+
+    /// Return this monad unchanged if it is in its OK state, or apply the given
+    /// function on its error state.
+    fn manage_error<E: std::error::Error>(self, f: fn(Self::Error) -> E) -> Result<Self, E>;
+}
diff --git a/crates/openssl_provider/src/p256.rs b/crates/openssl_provider/src/p256.rs
@@ -0,0 +1,36 @@
+mod point;
+mod scalar;
+
+pub use point::P256Point;
+pub use scalar::P256Scalar;
+
+use cosmian_crypto_core::traits::CyclicGroup;
+use openssl::nid::Nid;
+
+const NID: Nid = Nid::X9_62_PRIME256V1;
+
+#[derive(Debug, Clone, Copy, Default)]
+pub struct P256;
+
+impl CyclicGroup for P256 {
+    type Element = P256Point;
+
+    type Multiplicity = P256Scalar;
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::kem::MonadicKEM;
+    use cosmian_crypto_core::{
+        kdf::Kdf256,
+        traits::tests::{test_cyclic_group, test_kem, test_nike},
+    };
+
+    #[test]
+    fn test_p256() {
+        test_cyclic_group::<P256>();
+        test_nike::<P256>();
+        test_kem::<32, MonadicKEM<32, P256, Kdf256>>();
+    }
+}
diff --git a/crates/openssl_provider/src/p256/point.rs b/crates/openssl_provider/src/p256/point.rs
diff --git a/crates/openssl_provider/src/p256/scalar.rs b/crates/openssl_provider/src/p256/scalar.rs
