i am making an application that contains sensitive data such as passwords and keys. i want to find and encryption crate that already has a certificate and would allow me to do symmetric encryption with as little trouble as possible.
i tried looking up crates for those purposes on my own, but i mostly just found suggestions for aes and aes-gcm. which (according to their certificates) could be broken using specific combinations of bytes. other crates i found seem to have a ton of requirements (for example, openssl requires OS specific stuff, which is not good, since my application isn't dependent on the current OS at all), have no certificate, or be too low level for me to use in my application without having at least 1 major vulnerability. are there any crates other than the crates above, that could be used for symmetric encryption and have a certificate?
Certificates are usually used in the context of asymmetric encryption. You could use the
crypto_box crate, if you need asymmetric encryption (you also would need code for extract public key from a certificate).
If you indeed need symmetric encryption, then the AEAD crates should be sufficient. I recommend using a "misuse resistant" algorithm (e.g. from the
aes-siv crate), which does not fail catastrophically in the case of nonce reuse, like AES-GCM. But I don't see the relevancy of "certificates" in this context.
You also may need to generate cryptographic keys from user passwords. It's recommended to use password hashes for that.
I am not sure what are you talking about and how the
x509-certificate crate is relevant here. As mentioned earlier, AES-GCM may be broken if you reuse the same key and nonce for encrypting two separate texts. So you either generate random nonces for each encrypted text (so probability of reuse is astronomically low), or use "misuse resistant" schemes like SIV (though even with them you still should not reuse nonces if possible).