Hello all,
I think that a cryptography library that is well supported and trusted is essential for the development of programs in any language. Crypto primitives are a requirement for a large number of common tasks in our modern, Internet-connected world. Everything from cryptographic ciphers to hashing functions to X.509 intfrastructure is needed for so many applications. It’s been my observation that developing such a library for Rust is being approached, but doesn’t seem to have the sense of urgency from the community that it seems it deserves.
The Rust core team opted not to include cryptographic functions in Rust’s standard library, since a stated goal is to keep a small standard library with just enough to enable any further abstractions and libraries in external crates. I agree with this approach and think it’s a great idea, but it also hurts when there are not “officially endorsed” options for fundamentals like crypto where security and trust are so important. In many of the various applications I’ve started to build in Rust, I find myself being eventually blocked by lack of solid crypto support.
The two projects I’m aware of that have come the furthest towards helping fill this gap are rust-crypto and rust-openssl. rust-crypto is a great project that looks like it will eventually get us some mostly-pure-Rust crypto primitives, but as both the language and the library are new, will naturally take some time to be tested and audited and to become trusted for real applications. rust-openssl appears to be the de facto interim solution, as it provides Rust programs with access to the world’s most-used crypto library. However, the project seems to be managed in sort of an ad-hoc way, with little documentation, no project roadmap, and most development coming from a hodgepodge of pull requests from users that needed one specific thing that hadn’t been implemented yet. It seems like it should be a very high priority for us to at least get rust-openssl into a state where Rust programmers can use OpenSSL functionality safely and reliably without having to shell out to the openssl
command line tool.
I realize that Rust is still very young, having reached 1.0 less than a year ago, and that there is a huge amount of ongoing work to improve and further stabilize it, and that not everything can be done at once with only finite resources. I suppose I am mostly curious to hear others’ thoughts on how crypto in Rust should fall on the community’s list of priorities and how we might go about getting ourselves to a better place. I apologize if this seems like a rant or a complaint—I’m very appreciative of everything the Rust core team and community are doing, but I’m hoping to help impassion folks about getting us solid crypto support.