Implementing RustCrypto Traits
Dimitri John Ledkov (Chainguard) Sat 14 Feb 2026 5:28AMPublicSeen by 111In rust, there are rustcrypto crates which implement convenient traits for cryptography. However most of them have pure-rust implementations and do not have implementations that can be powered by openssl.
There is also openssl / openssl-sys crates that implement very openssl C-like APIs without implementing rustcrypto traits. And whilst one can use those crates; that code structure and API usage is difficult compared to the more popular rustcrypto.
In the https://github.com/awslabs/mls-rs/tree/main project, there is a set of common crypto traits with multiple backends, including openssl. Which so far is the most comprehensive abstraction I have found on top of openssl-like backends.
Do you think it would be possible to start implementing rustcrypto traits; powered by openssl? With eventual goal as adding openssl implementation as the available features in those traits such that one can switch sha2 crate to be powered by openssl, as an example.
Has there been interest in such projects before? I wonder how to start small and useful and take it from there.
Nikola PajkovskýSat 14 Feb 2026 1:43PM
@Paul Dale sure, rust-openssl has wrappers around EVP https://docs.rs/openssl/latest/openssl/md/struct.Md.html#method.fetch
Paul DaleSat 14 Feb 2026 10:43PM
I'm not talking about EVP. I'm talking about going directly to the provider via the provider APIs. This bypasses libcrypto entirely.
Richard Levitte (individual)Tue 17 Feb 2026 2:15PM
@ppzgs1, so more or less, reimplement EVP + the provider and params core from libcrypto in Rust... that's what you mean, yeah?
Paul DaleTue 17 Feb 2026 8:12PM
In reverse order. The params would definitely need doing.
The libcrypto provider code is way more complex than just about anyone needs. I'd do a greatly simplified version that only supported:
Provider load (no unload).
Maybe algorithm caching, maybe not (the tables of algorithms aren't very big and a linear search is fine if you know only a few providers are loaded).
Limited or no LIB_CTX support.
Only the provider call backs that are going to be used (which will be most of them).
I wouldn't implement any of EVP. I'd map the provider's offerings directly to whatever cryptographic APIs Rust provides. If Rust doesn't provide any, I'd implement a greatly simplified EVP or even expose the provider calls directly.
Paul Dale ·Sat 14 Feb 2026 6:46AM
Has anyone (in the Rust community) considered calling directly into the OpenSSL providers for access to the underlying cryptographic operations?
The OpenSSL provider APIs are considered part of the public APIs and, as such, fall under the stability guarantees. The FIPS provider is the only one currently disentangled from OpenSSL and available as a standalone loadable module, so some baggage will come along if the default or legacy providers are required.