Expose cryptography backends via CryptoProvider

[arckoor]

Adds a CryptoProvider struct that allows replacing the built-in providers with something custom.
All the details from this implementation that could be considered "interesting" are stolen straight from rustls's CryptoProvider.

I've marked the new_signer, new_verifier and JWK functions from the two built in backends as pub, so you can do stuff like this:

fn new_signer(algorithm: &Algorithm, key: &EncodingKey) -> Result<Box<dyn JwtSigner>, Error> {
    let jwt_signer = match algorithm {
        Algorithm::EdDSA => Box::new(CustomEdDSASigner::new(key)?) as Box<dyn JwtSigner>,
        _ => jsonwebtoken::crypto::aws_lc::new_signer(algorithm, key)?,
    };

    Ok(jwt_signer)
}

i.e. overwrite just specific algorithms.

One area I'm a little unsure about is JwkUtils, 1) about the name and 2) about the Default implementation. The CryptoProvider::signer_ and CryptoProvider::verifier_factory functions are obviously mandatory for a custom provider, but not everyone uses JWK, so the default just uses dummy functions with unimplemented!().

[arckoor]

@Keats any chance of a review on this?

[drusellers]

Would this allow applications to use rustls rather than openssl?

[arckoor]

@drusellers As far as I know rustls doesn't implement the cryptography directly, rather it relies on other crates like ring, aws-lc-rs, rustcrypto, ...
So you can't really use rustls with this, but you can implement the cryptography with whatever backend you choose, be it openssl, botan, or something else entirely (this crate has aws-lc-rs and rustcrypto built in, using these doesn't require this PR)

[Keats]

I think this can be simplified

[Keats]

Could we use a real crypto lib as an example?

[Keats]

can those functions be pub(crate) rather than pub? For both files

[arckoor]

Well if they are pub(crate) it would mean you can't use them externally, so the intent with making them pub was that you can overwrite e.g. the ES256 signing with a crypto lib of your choosing, but keep the utility functions from either of the built in crypto libs, but your choice.

[Keats]

that will get more complex if we start supporting some alg in some backend like #461

[Keats]

Do we need that? We should be able to define a DEFAULT_PROVIDER using cargo features I think without needing the dance around that?

[arckoor]

IIUC you mean that it automatically sets PROCESS_DEFAULT_PROVIDER to aws_lc::CryptoProvider if the aws feature is enabled? Yes that could be done, but similar to the JWK utility functions, that would mean you have to replace everything when you implement a custom provider, because otherwise if you select one of the built in features, you'd be locked into that provider.
This way you can implement whatever you want to, enable both aws and custom-provider, and fallback to aws for everything you haven't implemented.

[Keats]

My understanding of custom providers is that you do not want to add the rust-crypto/aws-lc dependencies? That feels a bit awkward otherwise

[arckoor]

I feel that way, yes, others may not, I do not know. I did it this way because rustls did it this way, but I can change it if you want me to.

[arckoor]

All that said while it could be assigned automatically for the rust_crypto and aws_lc_rs features, it still needs to provide a set method for outside crypto providers, and I'm honestly not sure how to do it any other way.

Unless you want a

#[cfg(feature = "custom-provider")]
static PROCESS_DEFAULT_PROVIDER: OnceLock<Arc<CryptoProvider>> = OnceLock::new();

#[cfg(not(feature = "custom-provider")]
# assign from crate features

which I personally think is pretty ugly.

[Keats]

Just make it pub for everyone no? Easier to keep track for breaking changes

[Keats]

Same as above, or we should expose some getters/setters rather than having sometimes private sometimes public fields