Bind out ed25519 support (#630)

Author: DmitriyMusatkin

.github/workflows/ci.yml

@@ -223,6 +223,7 @@ jobs:
     permissions:
       id-token: write # This is required for requesting the JWT
     steps:
+      - uses: ilammy/setup-nasm@v1
       - name: configure AWS credentials (containers)
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -233,7 +234,6 @@ jobs:
           python -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder.pyz')"
           python builder.pyz build -p ${{ env.PACKAGE_NAME }} --python "C:\\hostedtoolcache\\windows\\Python\\3.8.10\\${{ matrix.arch }}\\python.exe"
 
-
   macos:
     runs-on: macos-14 # latest
     permissions:

README.md

@@ -34,7 +34,7 @@ python3 -m pip install .
 
 To use from your Python application, declare `awscrt` as a dependency.
 
-### OpenSSL and LibCrypto (Unix only)
+### OpenSSL and LibCrypto
 
 aws-crt-python does not use OpenSSL for TLS.
 On Apple and Windows devices, the OS's default TLS library is used.
@@ -56,8 +56,19 @@ AWS_CRT_BUILD_USE_SYSTEM_LIBCRYPTO=1 python3 -m pip install --no-binary :all: --
 ```
 ( `--no-binary :all:` ensures you do not use the precompiled wheel from PyPI)
 
-You can ignore all this on Windows and Apple platforms, where aws-crt-python
-uses the OS's default libraries for TLS and cryptography math.
+aws-crt-python also exposes a number of cryptographic primitives. 
+On Unix, those depend on libcrypto as described above.
+On Apple and Windows OS level crypto libraries are used whenever possible.
+One exception to above statement is that for ED25519 keygen on Windows and Apple, 
+libcrypto is used as no viable OS level alternative exists. In that case Unix level notes
+about libcrypto apply to Apple and Windows as well. Libcrypto usage for ED25519 support is 
+enabled on Windows and Apple by default and can be disabled by setting environment variable
+`AWS_CRT_BUILD_DISABLE_LIBCRYPTO_USE_FOR_ED25519_EVERYWHERE` as follows:
+(Note: ED25519 keygen functions will start returning not supported error in this case)
+```sh
+AWS_CRT_BUILD_DISABLE_LIBCRYPTO_USE_FOR_ED25519_EVERYWHERE=1 python3 -m pip install --no-binary :all: --verbose awscrt
+```
+( `--no-binary :all:` ensures you do not use the precompiled wheel from PyPI)
 
 ### AWS_CRT_BUILD_USE_SYSTEM_LIBS ###
 

awscrt/crypto.py

@@ -171,3 +171,42 @@ def verify(self, signature_algorithm: RSASignatureAlgorithm,
         Returns True if signature matches and False if not.
         """
         return _awscrt.rsa_verify(self._binding, signature_algorithm, digest, signature)
+
+
+class ED25519ExportFormat(IntEnum):
+    """ED25519 Export format"""
+
+    RAW = 0
+    """
+    Raw bytes.
+    """
+
+    OPENSSH_B64 = 1
+    """
+    Base64 encoded OpenSSH format as defined in RFC 8709.
+    """
+
+
+class ED25519(NativeResource):
+    def __init__(self, binding):
+        super().__init__()
+        self._binding = binding
+
+    @staticmethod
+    def new_generate() -> 'ED25519':
+        """
+        Generates a new instance of ED25159 key pair.
+        """
+        return ED25519(binding=_awscrt.ed25519_new_generate())
+
+    def export_public_key(self, export_format: ED25519ExportFormat) -> bytes:
+        """
+        Exports public part of the key in specified format.
+        """
+        return _awscrt.ed25519_export_public_key(self._binding, export_format)
+
+    def export_private_key(self, export_format: ED25519ExportFormat) -> bytes:
+        """
+        Exports public part of the key in specified format.
+        """
+        return _awscrt.ed25519_export_private_key(self._binding, export_format)

crt/CMakeLists.txt

@@ -26,9 +26,11 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON CACHE BOOL "")
 set(BUILD_TESTING OFF CACHE BOOL "")
 include(CTest)
 
+option(AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE "Set this if you want to use libcrypto to support ed25519 on Window/Apple" ON)
+
 # On Unix we use S2N for TLS and AWS-LC crypto.
 # (On Windows and Apple we use the default OS libraries)
-if(UNIX AND NOT APPLE)
+if ((UNIX AND NOT APPLE) OR AWS_USE_LIBCRYPTO_TO_SUPPORT_ED25519_EVERYWHERE)
     option(USE_OPENSSL "Set this if you want to use your system's OpenSSL compatible libcrypto" OFF)
     include(AwsPrebuildDependency)
 
@@ -41,6 +43,14 @@ if(UNIX AND NOT APPLE)
             -DBUILD_TESTING=OFF
         )
 
+        if (APPLE OR WIN32)
+            # Libcrypto implementations typically have several chunky pregenerated tables that add a lot
+            # to artifact size. We dont really need them for ed25519 case on win/mac, so favor 
+            # smaller binary over perf here.
+            # In future if there is more usage of lc on win/mac consider removing this
+            list(APPEND AWSLC_CMAKE_ARGUMENTS -DOPENSSL_SMALL=1)
+        endif()
+
         if(CMAKE_C_COMPILER_ID MATCHES "GNU" AND CMAKE_C_COMPILER_VERSION VERSION_LESS "5.0")
             # Disable AVX512 on old GCC that not supports it.
             list(APPEND AWSLC_CMAKE_ARGUMENTS -DMY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX=ON)
@@ -54,6 +64,10 @@ if(UNIX AND NOT APPLE)
         )
     endif()
 
+
+endif()
+
+if(UNIX AND NOT APPLE)
     # prebuild s2n-tls.
     aws_prebuild_dependency(
         DEPENDENCY_NAME S2N