Add automatic rustls crypto provider initialization #65
Conversation
- Add new crypto module with ensure_default_provider() helper - Automatically initialize crypto provider in all HTTPS/S3/FTP code paths - Prefer AWS-LC with automatic fallback to ring - Thread-safe and idempotent implementation - Export publicly for use by dependent crates - Add comprehensive documentation and examples - Add tests for provider initialization Fixes the 'Could not automatically determine the process-level CryptoProvider' panic by ensuring a provider is always installed before rustls operations, without requiring manual setup.
There was a problem hiding this comment.
Pull Request Overview
This PR adds automatic rustls crypto provider initialization to prevent the "Could not automatically determine the process-level CryptoProvider" panic. The implementation creates a new crypto module with an ensure_default_provider() function that automatically tries to install AWS-LC first, then falls back to ring, and integrates it into all HTTPS/S3/FTP code paths.
Key changes:
- New
cryptomodule with automatic provider initialization logic - Integration of automatic initialization across all HTTPS, S3, and FTP operations
- Updated Cargo.toml to use
sync-rustls-tlsfor rust-s3 - Comprehensive documentation and example for explicit initialization
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/oneio/crypto.rs | New module implementing crypto provider initialization with AWS-LC and ring fallback |
| src/oneio/remote.rs | Added automatic crypto provider initialization to HTTP and FTP operations |
| src/oneio/s3.rs | Added automatic crypto provider initialization to S3 bucket operations |
| src/oneio/mod.rs | Exposed crypto module and added initialization to content length and async operations |
| src/lib.rs | Exposed crypto module publicly and added documentation |
| examples/test_crypto_provider.rs | New example demonstrating explicit crypto provider initialization |
| README.md | Added documentation for crypto provider initialization |
| Cargo.toml | Updated rust-s3 to use sync-rustls-tls and added example configuration |
| CHANGELOG.md | Documented the new feature and changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Lines 62 to 109 in 76be0da
Wire rustls_sys into TLS features
The new crypto::ensure_default_provider only installs a provider inside #[cfg(feature = "rustls_sys")], but none of the TLS-facing features (https, ftp, s3, or even the rustls feature itself) actually enable the optional rustls_sys dependency in Cargo.toml. With the default feature set (https), the rustls_sys code is compiled out and the function immediately returns Ok(()), so HTTP/S3/FTP calls still hit rustls’ runtime panic about a missing CryptoProvider. To make the automatic initialization effective, the TLS features need to include dep:rustls_sys (or the provider should be installed through a dependency already in scope).
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- Separate format job in CI workflow for faster feedback - Run cargo fmt to fix trailing whitespace - Format check now runs independently from compilation/test checks
- Add dep:rustls_sys to rustls feature flag in Cargo.toml - Change crypto.rs to check feature rustls instead of rustls_sys - Update remote_file_exists to use ensure_default_provider - Fix clippy warnings (needless return statements) - Add GitHub Copilot custom instructions for repository - Instructions include formatting, clippy, README regeneration rules
Since https enables rustls, ftp enables https (which enables rustls), and s3 uses rustls transitively, checking for multiple feature flags is redundant. Simplified all checks to just use rustls feature flag. - Changed all crypto initialization checks to use only rustls feature - Removed redundant https/s3/ftp checks alongside rustls - This makes the code cleaner and easier to maintain
- Document all improvements and fixes in CHANGELOG.md - Add changelog update rules to Copilot instructions - Emphasize changelog updates in pre-commit checklist - Include changelog formatting guidelines
Summary
This PR adds automatic rustls crypto provider initialization to prevent the "Could not automatically determine the process-level CryptoProvider" panic when using HTTPS, S3, or FTP features.
Changes
New Module: crypto
Integration Points
The crypto provider initialization is now called automatically from:
Public API
Applications and dependent crates can now explicitly initialize the provider:
This is particularly useful for:
Documentation
Testing
Benefits
Use Case for Dependent Crates
Other crates in the BGPKIT ecosystem (bgpkit-commons, peeringdb-rs, asninfo) can now simply call:
This ensures whichever crypto provider the dependency tree pulled in (AWS-LC or ring) gets installed automatically, eliminating the panic without forcing a specific provider choice.
Testing
All tests pass successfully.