- Rust 89.4%
- Shell 5.4%
- Python 4.1%
- Makefile 1.1%
|
Alexander Bokovoy
fb44b7b642
All checks were successful
CI / Lint Workflows (pull_request) Successful in 1m40s
CI / Rustfmt (pull_request) Successful in 1m41s
CI / Build (pull_request) Successful in 4m57s
CI / Documentation (pull_request) Successful in 3m1s
CI / Clippy (pull_request) Successful in 3m8s
CI / Test Suite (pull_request) Successful in 3m20s
CI / Lint Workflows (push) Successful in 1m24s
CI / Rustfmt (push) Successful in 1m24s
CI / Build (push) Successful in 4m37s
CI / Documentation (push) Successful in 3m30s
CI / Clippy (push) Successful in 3m50s
CI / Test Suite (push) Successful in 3m56s
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> |
||
|---|---|---|
| .github/workflows | ci: build canary CI with --features rustls-0-24 | |
| contrib | ci: build canary CI with --features rustls-0-24 | |
| docs | docs: update documentation for ML-DSA signing, public verify API, and canary CI | |
| examples/encrypt-demo | release: v0.1.12 | |
| native-ossl | release: v0.1.12 | |
| native-ossl-sys | release: v0.1.12 | |
| ring-native-ossl | release: v0.1.12 | |
| rustls-native-ossl | feat(rustls): dual-version hybrid_pq example for rustls 0.24 | |
| wiki | docs(wiki): record PRs #20–#27 merged — all gaps resolved | |
| .gitignore | chore: ignore generated packaging artifacts and Python cache | |
| Cargo.lock | chore: update Cargo.lock | |
| Cargo.toml | release: v0.1.12 | |
| CHANGELOG.md | docs: update documentation for ML-DSA signing, public verify API, and canary CI | |
| LICENSE | license: add Apache-2.0 (matches OpenSSL 3.x) | |
| README.md | docs(readme): broaden tagline to reflect full OpenSSL stack coverage | |
native-ossl
Safe, idiomatic Rust wrappers for modern OpenSSL (3.0.7+, 4.x).
native-ossl gives Rust code direct access to the OpenSSL cryptographic
library already installed on the system — no reimplementation, no vendored
C code by default, no protocol logic added on top. The API covers the full
public OpenSSL stack: EVP algorithms, asymmetric keys, TLS, X.509, OCSP,
PKCS#12, BIO, and provider/library-context management.
What is provided
| Module | Types |
|---|---|
error |
ErrorStack — full OpenSSL error queue on failure |
lib_ctx |
LibCtx, Provider — isolated library contexts |
params |
ParamBuilder, Params — typed OSSL_PARAM arrays with in-place setters |
digest |
DigestAlg, DigestCtx — including mid-stream context fork and checkpoint serialization |
cipher |
CipherAlg, CipherCtx<Dir>, AeadEncryptCtx, AeadDecryptCtx |
mac |
MacAlg, MacCtx, HmacCtx, CmacCtx |
rand |
Rand, RandAlg, RandCtx |
pkey |
Pkey<T>, KeygenCtx, Signer, Verifier, RawSigner, RawVerifier, MessageSigner, MessageVerifier, DeriveCtx, PkeyEncryptCtx, PkeyDecryptCtx, EncapCtx, DecapCtx |
kdf |
HkdfBuilder, Pbkdf2Builder, ScryptBuilder, SshkdfBuilder, KbkdfBuilder |
x509 |
X509, X509Builder, X509Store, X509StoreCtx, X509Crl, SignatureInfo |
pkcs12 |
Pkcs12 |
ocsp |
OcspCertId, OcspRequest, OcspResponse, OcspBasicResp |
ssl |
SslCtx, SslCtxBuilder<R>, Ssl, SslSession, BorrowedSslSession, HostnameFlags |
fips |
fips::is_running |
util |
SecretBuf — OPENSSL_cleanse-on-drop buffer |
Requirements
- OpenSSL 3.0.7 or later (system install; 3.2+ for KEM/message-sign APIs, 3.5+ for SSH-KDF/KBKDF)
- Rust 1.77 or later (required for
c"..."C-string literal syntax) pkg-config
# Fedora / RHEL
sudo dnf install openssl-devel
# Ubuntu / Debian
sudo apt install libssl-dev pkg-config
# macOS (Homebrew)
brew install openssl@3
export PKG_CONFIG_PATH="$(brew --prefix openssl@3)/lib/pkgconfig"
Usage
[dependencies]
native-ossl = { version = "0.1" }
SHA-256
usenative_ossl::digest::DigestAlg;letsha256=DigestAlg::fetch(c"SHA2-256",None)?;letmutctx=sha256.new_context()?;ctx.update(b"hello world")?;letmutout=[0u8;32];ctx.finish(&mutout)?;AES-256-GCM
usenative_ossl::{cipher::{CipherAlg,AeadEncryptCtx,AeadDecryptCtx},rand::Rand};letalg=CipherAlg::fetch(c"AES-256-GCM",None)?;letmutkey=[0u8;32];letmutnonce=[0u8;12];Rand::fill(&mutkey)?;Rand::fill(&mutnonce)?;letmutenc=AeadEncryptCtx::new(&alg,&key,&nonce,None)?;letmutct=vec![0u8;plaintext.len()];enc.update(plaintext,&mutct)?;enc.finalize(&mutct[n..])?;letmuttag=[0u8;16];enc.tag(&muttag)?;HKDF
usenative_ossl::{digest::DigestAlg,kdf::HkdfBuilder};letsha256=DigestAlg::fetch(c"SHA2-256",None)?;letmutokm=[0u8;32];HkdfBuilder::new(&sha256).key(ikm).salt(salt).info(info).derive(&mutokm)?;Ed25519 sign / verify
usenative_ossl::pkey::KeygenCtx;letkey=KeygenCtx::new(c"ED25519")?.generate()?;letsig=key.sign_oneshot(message)?;key.verify_oneshot(&sig,message)?;TLS client (fluent builder)
usenative_ossl::ssl::{SslCtxBuilder,Client,TlsVersion,HostnameFlags};letctx=SslCtxBuilder::<Client>::new()?.min_proto_version(TlsVersion::Tls12)?.default_ca_paths()?.verify_peer().verify_hostname("example.com")?.verify_hostname_flags(HostnameFlags::NO_PARTIAL_WILDCARDS)?.build()?;letmutssl=ctx.new_ssl()?;ssl.set_connect_state();ssl.connect()?;Inspect certificate signature algorithm
usenative_ossl::x509::X509;letcert=X509::from_pem(&std::fs::read("cert.pem")?)?;letinfo=cert.signature_info()?;// info.md_nid, info.pk_nid, info.security_bits
println!("pk_nid={} md_nid={} bits={}",info.pk_nid,info.md_nid,info.security_bits);Cargo features
| Feature | Default | Effect |
|---|---|---|
dynamic |
yes | Link against the system OpenSSL via pkg-config |
vendored |
no | Build a specific OpenSSL source tree (set NATIVE_OSSL_OPENSSL_SOURCES) |
fips |
no | Link libfips.a instead of libcrypto.a |
fips-provider |
no | Enable non-public provider-internal bindings (OPENSSL_SOURCE_DIR required) |
Version-gated APIs
The build system detects the installed OpenSSL version automatically and
activates the appropriate #[cfg(...)] gates. No manual flags are needed.
| cfg flag | Minimum | APIs |
|---|---|---|
ossl320 |
3.2.0 | MessageSigner, MessageVerifier, EncapCtx, DecapCtx, GlobalRandCtx |
ossl350 |
3.5.0 | SshkdfBuilder, KbkdfBuilder |
ossl_v400 |
4.0.0 | DigestCtx::serialize / deserialize |
ossl_slhdsa |
— | SLH-DSA key operations |
ossl_mldsa |
— | ML-DSA key operations |
ossl_mlkem |
— | ML-KEM encapsulate / decapsulate |
Algorithm flags (ossl_slhdsa, ossl_mldsa, ossl_mlkem) are detected from
header macros rather than the version number, so they track distribution backports
correctly.
Building and testing
cargo build
cargo test --all
cargo clippy --all-targets -- -D warnings
See docs/src/dev/building.md for FIPS mode,
fips-provider, vendored builds, and the full CI checklist.
Documentation
cargo install mdbook
cd docs && mdbook build --open
Or browse the source under docs/src/.
License
Apache-2.0. See LICENSE.