5 releases
| 0.2.1 | Jan 4, 2026 |
|---|---|
| 0.2.0 | Jan 4, 2026 |
| 0.1.2 | Jan 3, 2026 |
| 0.1.1 | Jan 2, 2026 |
| 0.1.0 | Sep 3, 2025 |
#162 in Cryptography
4,653 downloads per month
Used in 2 crates
(via str0m-apple-crypto)
270KB
6.5K
SLoC
Apple CryptoKit for Rust
A Rust wrapper around Apple's native CryptoKit framework, designed to provide cryptographic functionality while maintaining App Store compliance.
Why This Library?
When submitting apps to the App Store, Apple requires specific handling of cryptographic functionality. Apps that use encryption must either:
- Use only standard cryptographic algorithms provided by Apple's operating systems, or
- Provide additional export compliance documentation
This library solves this problem by:
- Wrapping Apple's native CryptoKit: Uses only the cryptographic algorithms provided by Apple's operating system
- Maintaining App Store compliance: Qualifies for cryptographic export compliance exemptions
- Providing Rust-safe interfaces: Offers memory-safe, ergonomic Rust APIs over the Swift CryptoKit
By using this library, your Rust applications can leverage Apple's optimized cryptographic implementations while avoiding the need for additional export compliance paperwork.
Features
Traditional Cryptography
- Symmetric Encryption: AES-GCM, ChaCha20-Poly1305
- Hashing: SHA-256, SHA-384, SHA-512
- Message Authentication: HMAC-SHA256, HMAC-SHA384, HMAC-SHA512
- Key Derivation: HKDF (HMAC-based Key Derivation Function)
- Asymmetric Cryptography: P-256, P-384, P-521, Curve25519
Post-Quantum Cryptography
- Key Encapsulation: ML-KEM-768, X-Wing (ML-KEM-768 + X25519)
- Digital Signatures: ML-DSA-65
Platform Support
- macOS: 10.15+ (macOS Catalina and later)
- iOS: 13.0+ (when building for iOS targets)
- Additional Apple platforms: As supported by CryptoKit
Installation
Add this to your Cargo.toml:
[dependencies]
apple-cryptokit-rs = "0.1.0"
Quick Start
Hashing
use apple_cryptokit::hashing::{sha256_hash, SHA256, HashFunction};
fn main() -> apple_cryptokit::Result<()> {
let data = b"Hello, World!";
// Direct function call
let hash1 = sha256_hash(data);
// Using trait
let hash2 = SHA256::hash(data);
println!("SHA-256: {}", hex::encode(hash1));
Ok(())
}
Message Authentication (HMAC)
use apple_cryptokit::authentication::{hmac_sha256, HMACSHA256};
fn main() -> apple_cryptokit::Result<()> {
let key = b"my-secret-key";
let message = b"important message";
let mac = hmac_sha256(key, message)?;
println!("HMAC-SHA256: {}", hex::encode(mac));
Ok(())
}
Symmetric Encryption
use apple_cryptokit::symmetric::aes::{aes_gcm_encrypt, aes_gcm_decrypt};
fn main() -> apple_cryptokit::Result<()> {
let key = b"0123456789abcdef0123456789abcdef"; // 32-byte key
let nonce = b"cdef01234567"; // 12-byte nonce
let plaintext = b"Secret message";
// Encrypt
let ciphertext = aes_gcm_encrypt(key, nonce, plaintext)?;
// Decrypt
let decrypted = aes_gcm_decrypt(key, nonce, &ciphertext)?;
assert_eq!(plaintext, &decrypted[..]);
Ok(())
}
Asymmetric Cryptography (Elliptic Curves)
use apple_cryptokit::asymmetric::p256::{P256PrivateKey, P256PublicKey};
fn main() -> apple_cryptokit::Result<()> {
// Generate key pair
let private_key = P256PrivateKey::new()?;
let public_key = private_key.public_key()?;
// Create shared secret (ECDH)
let other_private = P256PrivateKey::new()?;
let other_public = other_private.public_key()?;
let shared_secret = private_key.shared_secret_from_key_agreement(&other_public)?;
println!("Shared secret established");
Ok(())
}
Post-Quantum Key Encapsulation
use apple_cryptokit::quantum::{MLKem768, KEMPrivateKey, KEMPublicKey};
fn main() -> apple_cryptokit::Result<()> {
// Generate ML-KEM-768 key pair
let private_key = MLKem768::generate_private_key()?;
let public_key = private_key.public_key()?;
// Encapsulation (sender side)
let (ciphertext, shared_secret1) = public_key.encapsulate()?;
// Decapsulation (receiver side)
let shared_secret2 = private_key.decapsulate(&ciphertext)?;
// Both parties now have the same shared secret
assert_eq!(shared_secret1, shared_secret2);
Ok(())
}
Post-Quantum Digital Signatures
use apple_cryptokit::quantum::{MLDsa65, SignaturePrivateKey, SignaturePublicKey};
fn main() -> apple_cryptokit::Result<()> {
// Generate ML-DSA-65 key pair
let private_key = MLDsa65::generate_private_key()?;
let public_key = private_key.public_key()?;
let message = b"Document to sign";
// Sign
let signature = private_key.sign(message)?;
// Verify
let is_valid = public_key.verify(message, &signature)?;
assert!(is_valid);
println!("Signature verified!");
Ok(())
}
Architecture
This library consists of two main components:
- Swift CryptoKit Wrapper (
swift/directory): A Swift package that provides C-compatible interfaces to Apple's CryptoKit framework - Rust Bindings (
src/directory): Safe Rust wrappers around the Swift interfaces
Build Process
The build process uses a custom build.rs script that:
- Compiles the Swift package into a static library
- Generates appropriate linking flags for the Rust crate
- Ensures proper integration between Swift CryptoKit and Rust code
App Store Compliance
Export Administration Regulations (EAR) Compliance
This library is designed to help maintain compliance with U.S. Export Administration Regulations when distributing apps through the App Store. By using only Apple's provided cryptographic implementations, apps using this library may qualify for certain exemptions.
Important: Always consult with legal counsel regarding export compliance requirements for your specific application and use case.
Required Info.plist Configuration
When using this library in an iOS/macOS app, you may need to add the following to your app's Info.plist:
<key>ITSAppUsesNonExemptEncryption</key>
<false/>
Or if your app does use encryption but qualifies for exemptions:
<key>ITSAppUsesNonExemptEncryption</key>
<true/>
<key>ITSEncryptionExportComplianceCode</key>
<string>your-compliance-code-here</string>
Supported Algorithms
Hashing
- SHA-256, SHA-384, SHA-512, SHA-1
Message Authentication Codes
- HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, HMAC-SHA1
Symmetric Encryption
- AES-GCM (128, 192, 256-bit keys)
- ChaCha20-Poly1305
Asymmetric Cryptography
- P-256 (secp256r1)
- P-384 (secp384r1)
- P-521 (secp521r1)
- Curve25519
Key Derivation
- HKDF-SHA256, HKDF-SHA384, HKDF-SHA512
Post-Quantum Cryptography
- ML-KEM-768: NIST standardized key encapsulation mechanism
- X-Wing: Hybrid ML-KEM-768 + X25519 for transition security
- ML-DSA-65: NIST standardized digital signature algorithm
Requirements
- macOS: 10.15+ (Catalina) for development
- Xcode: 12.0+ with Swift 5.3+
- Rust: 1.75+ (2024 edition)
Development
Building
cargo build
Testing
cargo test
Running Examples
cargo run --example basic_usage
Contributing
Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
Development Guidelines
- Follow Rust's standard coding conventions
- Ensure all tests pass
- Add tests for new functionality
- Update documentation as needed
Acknowledgments
This project was inspired by oml-cryptokit-rs, which pioneered the approach of wrapping Apple's CryptoKit to maintain App Store export compliance. We are grateful for their innovative solution and have built upon their work.
Special thanks to the oml-cryptokit-rs project for:
- Demonstrating how to bridge Apple's CryptoKit with Rust
- Providing the foundation for our
build.rsimplementation - Showing the path to App Store compliance through native cryptographic APIs
License
This project is licensed under the MIT License - see the LICENSE file for details.
Disclaimer
This library wraps Apple's CryptoKit framework and is intended to help with App Store compliance. However, export compliance requirements can be complex and may vary based on your specific use case, target markets, and implementation details.
Always consult with qualified legal counsel regarding export compliance requirements for your specific application.
Related Projects
No runtime deps
~140KB