Refactor: switch to aws-lc-rs library

[flavio]

Description

A long time ago we moved away from the ring crate to a constellation of pure-rust cryptographic libraries. We did the switch because the ring library did not build for certain architectures (like s390x and webassembly).

This limitation has been addressed by latest versions of the library. Moreover, we have recently reintroduced the ring dependency to implement TUF trustroots.

Moving back to ring would reduce the list of dependencies we have, making the codebase easier to understand and to maintain.

I think these are the dependencies we should be able to remove:

• ecdsa
• ed25519
• ed25519-dalek
• elliptic-curve
• p256
• p384
• pkcs1
• pkcs8
• rsa

[jleightcap]

@flavio @lukehinds ToB is willing to pick this up!

[flavio]

@jleightcap: awesome, who should assign this issue to?

[flavio]

Update: rustls is now supporting two different crypto backends: ring and aws-lc-rs. The latter one is a drop-in replacement of ring that provides FIPS support.

The tough crate is also considering to perform the same change.

I still think we should drop the pure-rust libraries and support either ring or aws-lc-rs

[viccuad]

I still think we should drop the pure-rust libraries and support either ring or aws-lc-rs

It seems that aws-lc-rs is finicky for Windows builds. Since they are drop-in replacements, I think it would be a good idea to provide a feature for selecting between them.

[flavio]

ring is being put on security maintenance mode (see here). I don't think it makes a lot of sense to switch to it.

I would propose to move to aws-lc-rs because:

• It's getting traction inside of the rust ecosystem, as a proof this is one of the two official crypto providers of rustls (see here)
• It can be built using FIPS mode, which is a nice addition

What do the other maintainers think about that?

[viccuad]

I'm in for aws-lc-rs provided that we can do Windows builds.