[WIP] pkcs5: encryption

Implements PKCS#5 encryption support, presently targeting only support
for PBES2 with PBKDF2-SHA-256 and AES-CBC (with 128 or 256-bit key size)

Note that these are presently the best options supported by PKCS#5 v2.1.

Support for legacy algorithms like DES, 3DES, MD2, and SHA-1 is
deliberately ommitted. We can revisit potentially adding these upon
request if there is demand, however since these algorithms are insecure
we don't support them in this initial implementation.

Author: tarcieri

.github/workflows/pkcs5.yml

@@ -25,7 +25,7 @@ jobs:
     strategy:
       matrix:
         rust:
-          - 1.47.0 # MSRV
+          - 1.49.0 # MSRV
           - stable
         target:
           - thumbv7em-none-eabi
@@ -38,14 +38,15 @@ jobs:
           toolchain: ${{ matrix.rust }}
           target: ${{ matrix.target }}
           override: true
-      - run: cargo build --release --target ${{ matrix.target }}
+      - run: cargo build --target ${{ matrix.target }} --release
+      - run: cargo build --target ${{ matrix.target }} --release --features pbes2
 
   test:
     runs-on: ubuntu-latest
     strategy:
       matrix:
         rust:
-          - 1.47.0 # MSRV
+          - 1.49.0 # MSRV
           - stable
     steps:
       - uses: actions/checkout@v1
@@ -55,3 +56,4 @@ jobs:
           toolchain: ${{ matrix.rust }}
           override: true
       - run: cargo test --release
+      - run: cargo test --release --all-features

.github/workflows/workspace.yml

@@ -16,7 +16,7 @@ jobs:
     - uses: actions/checkout@v1
     - uses: actions-rs/toolchain@v1
       with:
-        toolchain: 1.46.0 # MSRV
+        toolchain: 1.49.0 # Highest MSRV in repo
         components: clippy
         override: true
         profile: minimal

Cargo.lock

@@ -16,3 +16,7 @@ members = [
     "pkcs8",
     "spki",
 ]
+
+[patch.crates-io]
+aes = { git = "https://github.com/RustCrypto/block-ciphers" }
+block-modes = { git = "https://github.com/RustCrypto/block-ciphers" }

Cargo.toml

@@ -231,6 +231,7 @@ impl<T: Variant> Encoding for T {
 
     fn encoded_len(bytes: &[u8]) -> usize {
         // TODO: replace with `unwrap_or` on stabilization
+        #[allow(clippy::manual_unwrap_or)]
         match encoded_len_inner(bytes.len(), T::PADDED) {
             Some(v) => v,
             None => 0,

base64ct/src/encoding.rs

@@ -17,9 +17,18 @@ readme = "README.md"
 der = { version = "0.2.7", features = ["oid"], path = "../der" }
 spki = { version = "0.2", path = "../spki" }
 
+aes = { version = "=0.7.0-pre", optional = true }
+block-modes = { version = "=0.8.0-pre", optional = true, default-features = false }
+hmac = { version = "0.10", optional = true, default-features = false }
+pbkdf2 = { version = "0.7", optional = true, default-features = false }
+sha2 = { version = "0.9", optional = true, default-features = false }
+
 [dev-dependencies]
 hex-literal = "0.3"
 
+[features]
+pbes2 = ["aes", "block-modes", "hmac", "pbkdf2", "sha2"]
+
 [package.metadata.docs.rs]
 all-features = true
 rustdoc-args = ["--cfg", "docsrs"]

pkcs5/Cargo.toml

@@ -34,7 +34,7 @@ dual licensed as above, without any additional terms or conditions.
 [docs-image]: https://docs.rs/pkcs5/badge.svg
 [docs-link]: https://docs.rs/pkcs5/
 [license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg
-[rustc-image]: https://img.shields.io/badge/rustc-1.47+-blue.svg
+[rustc-image]: https://img.shields.io/badge/rustc-1.49+-blue.svg
 [chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg
 [chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260052-utils
 [build-image]: https://github.com/RustCrypto/utils/workflows/pkcs5/badge.svg?branch=master&event=push