1
0
Fork
You've already forked native-ossl
0
Rust bindings to OpenSSL using idiomatic Rust. https://akamu.dev/native-ossl/doc/
  • Rust 89.4%
  • Shell 5.4%
  • Python 4.1%
  • Makefile 1.1%
Alexander Bokovoy fb44b7b642
All checks were successful
CI / Lint Workflows (pull_request) Successful in 1m40s
CI / Rustfmt (pull_request) Successful in 1m41s
CI / Build (pull_request) Successful in 4m57s
CI / Documentation (pull_request) Successful in 3m1s
CI / Clippy (pull_request) Successful in 3m8s
CI / Test Suite (pull_request) Successful in 3m20s
CI / Lint Workflows (push) Successful in 1m24s
CI / Rustfmt (push) Successful in 1m24s
CI / Build (push) Successful in 4m37s
CI / Documentation (push) Successful in 3m30s
CI / Clippy (push) Successful in 3m50s
CI / Test Suite (push) Successful in 3m56s
chore: update Cargo.lock
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2026年07月02日 09:00:40 +03:00
.github/workflows ci: build canary CI with --features rustls-0-24 2026年07月02日 09:00:40 +03:00
contrib ci: build canary CI with --features rustls-0-24 2026年07月02日 09:00:40 +03:00
docs docs: update documentation for ML-DSA signing, public verify API, and canary CI 2026年07月01日 11:13:31 +03:00
examples/encrypt-demo release: v0.1.12 2026年06月24日 08:41:27 +03:00
native-ossl release: v0.1.12 2026年06月24日 08:41:27 +03:00
native-ossl-sys release: v0.1.12 2026年06月24日 08:41:27 +03:00
ring-native-ossl release: v0.1.12 2026年06月24日 08:41:27 +03:00
rustls-native-ossl feat(rustls): dual-version hybrid_pq example for rustls 0.24 2026年07月02日 09:00:40 +03:00
wiki docs(wiki): record PRs #20–#27 merged — all gaps resolved 2026年04月18日 14:34:00 +03:00
.gitignore chore: ignore generated packaging artifacts and Python cache 2026年06月12日 17:38:03 +03:00
Cargo.lock chore: update Cargo.lock 2026年07月02日 09:00:40 +03:00
Cargo.toml release: v0.1.12 2026年06月24日 08:41:27 +03:00
CHANGELOG.md docs: update documentation for ML-DSA signing, public verify API, and canary CI 2026年07月01日 11:13:31 +03:00
LICENSE license: add Apache-2.0 (matches OpenSSL 3.x) 2026年04月15日 15:14:33 +03:00
README.md docs(readme): broaden tagline to reflect full OpenSSL stack coverage 2026年04月18日 14:39:34 +03:00

native-ossl

Safe, idiomatic Rust wrappers for modern OpenSSL (3.0.7+, 4.x).

native-ossl gives Rust code direct access to the OpenSSL cryptographic library already installed on the system — no reimplementation, no vendored C code by default, no protocol logic added on top. The API covers the full public OpenSSL stack: EVP algorithms, asymmetric keys, TLS, X.509, OCSP, PKCS#12, BIO, and provider/library-context management.

What is provided

Module Types
error ErrorStack — full OpenSSL error queue on failure
lib_ctx LibCtx, Provider — isolated library contexts
params ParamBuilder, Params — typed OSSL_PARAM arrays with in-place setters
digest DigestAlg, DigestCtx — including mid-stream context fork and checkpoint serialization
cipher CipherAlg, CipherCtx<Dir>, AeadEncryptCtx, AeadDecryptCtx
mac MacAlg, MacCtx, HmacCtx, CmacCtx
rand Rand, RandAlg, RandCtx
pkey Pkey<T>, KeygenCtx, Signer, Verifier, RawSigner, RawVerifier, MessageSigner, MessageVerifier, DeriveCtx, PkeyEncryptCtx, PkeyDecryptCtx, EncapCtx, DecapCtx
kdf HkdfBuilder, Pbkdf2Builder, ScryptBuilder, SshkdfBuilder, KbkdfBuilder
x509 X509, X509Builder, X509Store, X509StoreCtx, X509Crl, SignatureInfo
pkcs12 Pkcs12
ocsp OcspCertId, OcspRequest, OcspResponse, OcspBasicResp
ssl SslCtx, SslCtxBuilder<R>, Ssl, SslSession, BorrowedSslSession, HostnameFlags
fips fips::is_running
util SecretBufOPENSSL_cleanse-on-drop buffer

Requirements

  • OpenSSL 3.0.7 or later (system install; 3.2+ for KEM/message-sign APIs, 3.5+ for SSH-KDF/KBKDF)
  • Rust 1.77 or later (required for c"..." C-string literal syntax)
  • pkg-config
# Fedora / RHEL
sudo dnf install openssl-devel
# Ubuntu / Debian
sudo apt install libssl-dev pkg-config
# macOS (Homebrew)
brew install openssl@3
export PKG_CONFIG_PATH="$(brew --prefix openssl@3)/lib/pkgconfig"

Usage

[dependencies]
native-ossl = { version = "0.1" }

SHA-256

usenative_ossl::digest::DigestAlg;letsha256=DigestAlg::fetch(c"SHA2-256",None)?;letmutctx=sha256.new_context()?;ctx.update(b"hello world")?;letmutout=[0u8;32];ctx.finish(&mutout)?;

AES-256-GCM

usenative_ossl::{cipher::{CipherAlg,AeadEncryptCtx,AeadDecryptCtx},rand::Rand};letalg=CipherAlg::fetch(c"AES-256-GCM",None)?;letmutkey=[0u8;32];letmutnonce=[0u8;12];Rand::fill(&mutkey)?;Rand::fill(&mutnonce)?;letmutenc=AeadEncryptCtx::new(&alg,&key,&nonce,None)?;letmutct=vec![0u8;plaintext.len()];enc.update(plaintext,&mutct)?;enc.finalize(&mutct[n..])?;letmuttag=[0u8;16];enc.tag(&muttag)?;

HKDF

usenative_ossl::{digest::DigestAlg,kdf::HkdfBuilder};letsha256=DigestAlg::fetch(c"SHA2-256",None)?;letmutokm=[0u8;32];HkdfBuilder::new(&sha256).key(ikm).salt(salt).info(info).derive(&mutokm)?;

Ed25519 sign / verify

usenative_ossl::pkey::KeygenCtx;letkey=KeygenCtx::new(c"ED25519")?.generate()?;letsig=key.sign_oneshot(message)?;key.verify_oneshot(&sig,message)?;

TLS client (fluent builder)

usenative_ossl::ssl::{SslCtxBuilder,Client,TlsVersion,HostnameFlags};letctx=SslCtxBuilder::<Client>::new()?.min_proto_version(TlsVersion::Tls12)?.default_ca_paths()?.verify_peer().verify_hostname("example.com")?.verify_hostname_flags(HostnameFlags::NO_PARTIAL_WILDCARDS)?.build()?;letmutssl=ctx.new_ssl()?;ssl.set_connect_state();ssl.connect()?;

Inspect certificate signature algorithm

usenative_ossl::x509::X509;letcert=X509::from_pem(&std::fs::read("cert.pem")?)?;letinfo=cert.signature_info()?;// info.md_nid, info.pk_nid, info.security_bits
println!("pk_nid={} md_nid={} bits={}",info.pk_nid,info.md_nid,info.security_bits);

Cargo features

Feature Default Effect
dynamic yes Link against the system OpenSSL via pkg-config
vendored no Build a specific OpenSSL source tree (set NATIVE_OSSL_OPENSSL_SOURCES)
fips no Link libfips.a instead of libcrypto.a
fips-provider no Enable non-public provider-internal bindings (OPENSSL_SOURCE_DIR required)

Version-gated APIs

The build system detects the installed OpenSSL version automatically and activates the appropriate #[cfg(...)] gates. No manual flags are needed.

cfg flag Minimum APIs
ossl320 3.2.0 MessageSigner, MessageVerifier, EncapCtx, DecapCtx, GlobalRandCtx
ossl350 3.5.0 SshkdfBuilder, KbkdfBuilder
ossl_v400 4.0.0 DigestCtx::serialize / deserialize
ossl_slhdsa SLH-DSA key operations
ossl_mldsa ML-DSA key operations
ossl_mlkem ML-KEM encapsulate / decapsulate

Algorithm flags (ossl_slhdsa, ossl_mldsa, ossl_mlkem) are detected from header macros rather than the version number, so they track distribution backports correctly.

Building and testing

cargo build
cargo test --all
cargo clippy --all-targets -- -D warnings

See docs/src/dev/building.md for FIPS mode, fips-provider, vendored builds, and the full CI checklist.

Documentation

cargo install mdbook
cd docs && mdbook build --open

Or browse the source under docs/src/.

License

Apache-2.0. See LICENSE.