============================================== CCC Rust Implementation — Phase Tracking ============================================== :Last Updated: 2026-06-20 Legend ------ * ``[ ]`` Not started * ``[~]`` In progress * ``[x]`` Complete * ``[!]`` Blocked ---- Step 1 — Cargo Workspace Scaffold ---------------------------------- * ``[x]`` Create ``Cargo.toml`` (workspace manifest, 4 members) * ``[x]`` Create ``rust-toolchain.toml`` (channel = "stable") * ``[x]`` Create ``.cargo/config.toml`` (cross-compile target aliases) * ``[x]`` Create ``vendors/README.md`` ---- Step 2 — ``ccc-crypto-core`` Trait Crate ----------------------------------------- * ``[x]`` Create ``crates/ccc-crypto-core/Cargo.toml`` * ``[x]`` ``algorithms.rs`` — AeadAlgorithm, KdfAlgorithm, MacAlgorithm, HashAlgorithm, KemAlgorithm enums (values == cipher_constants.dart) * ``[x]`` ``capabilities.rs`` — AlgorithmCapability, ProviderCapabilities * ``[x]`` ``error.rs`` — CryptoError enum * ``[x]`` ``types.rs`` — KemKeyPair, SelfTestReport, BenchmarkReport, AlgoTestResult * ``[x]`` ``provider.rs`` — AeadProvider, KdfProvider, MacProvider, HashProvider, KemProvider traits; CryptoProvider umbrella trait * ``[x]`` ``registry.rs`` — ProviderRegistry (OnceLock>), register(), get(), list() * ``[x]`` ``lib.rs`` — re-exports all public items * ``[x]`` Unit tests for registry (5 passing) ---- Step 3 — wolfSSL Submodule + ``ccc-crypto-wolfssl`` ----------------------------------------------------- * ``[x]`` ``git submodule add`` wolfSSL → ``vendors/wolfssl`` * ``[x]`` Pin submodule to ``v5.7.2-stable`` * ``[x]`` Document pin in ``vendors/README.md`` * ``[x]`` Create ``crates/ccc-crypto-wolfssl/Cargo.toml`` * ``[x]`` ``build.rs`` — cmake build + bindgen; stub_ffi feature bypasses C build * ``[x]`` ``aead.rs`` — AES-256-GCM implementation * ``[x]`` encrypt_aead (AES-256-GCM) * ``[x]`` decrypt_aead (AES-256-GCM) * ``[x]`` encrypt_aead (ChaCha20-Poly1305) * ``[x]`` decrypt_aead (ChaCha20-Poly1305) * ``[x]`` encrypt_aead (XChaCha20-Poly1305 via HChaCha20) * ``[x]`` decrypt_aead (XChaCha20-Poly1305) * ``[x]`` ``kdf.rs`` — KDF implementations * ``[x]`` HKDF-SHA256 * ``[x]`` HKDF-SHA384 * ``[x]`` HKDF-SHA512 * ``[x]`` Argon2id (64 MB / 3 iter / 4 threads — matches DEFAULT_CIPHER_PARAMS) * ``[x]`` BLAKE2b-512 KDF * ``[x]`` ``mac.rs`` — MAC implementations * ``[x]`` HMAC-SHA256 * ``[x]`` HMAC-SHA384 * ``[x]`` HMAC-SHA512 * ``[x]`` BLAKE2b-MAC (keyed) * ``[x]`` Constant-time verify * ``[x]`` ``hash.rs`` — Hash implementations * ``[x]`` SHA-256 / SHA-384 / SHA-512 * ``[x]`` SHA3-256 / SHA3-512 * ``[x]`` BLAKE2b-512 * ``[x]`` ``kem.rs`` — KEM implementations * ``[x]`` X25519 (keygen + DH encap/decap) * ``[x]`` X448 (keygen + DH encap/decap) * ``[ ]`` ML-KEM-768 (deferred to Phase 5) * ``[ ]`` ML-KEM-1024 (deferred to Phase 5) * ``[ ]`` Classic McEliece (deferred to Phase 5) * ``[x]`` ``capabilities.rs`` — probe-at-startup per algorithm * ``[x]`` ``capabilities.rs`` — benchmark() throughput micro-bench * ``[x]`` ``provider.rs`` — WolfSslProvider: CryptoProvider impl * ``[x]`` ``provider.rs`` — self_test() with embedded NIST vectors (AES-256-GCM, ChaCha20-Poly1305) * ``[x]`` Register WolfSslProvider in ProviderRegistry via init() * ``[ ]`` Full native build verified (requires ``brew install cmake``) ---- Step 4 — ``ccc-flutter-bridge`` Entry-Point Crate --------------------------------------------------- * ``[x]`` Create ``crates/ccc-flutter-bridge/Cargo.toml`` * ``[x]`` Set ``crate-type = ["cdylib", "staticlib"]`` * ``[x]`` Add ``flutter_rust_bridge = "=2.9.0"`` dependency * ``[x]`` ``dto.rs`` — CapabilitiesDto, KemKeyPairDto, KemEncapDto, SelfTestDto, AlgoTestResultDto; From impls * ``[x]`` ``bridge.rs`` — ccc_init() * ``[x]`` ``bridge.rs`` — ccc_list_providers() * ``[x]`` ``bridge.rs`` — ccc_capabilities() / ccc_available_algorithms() * ``[x]`` ``bridge.rs`` — ccc_aead_encrypt() / ccc_aead_decrypt() * ``[x]`` ``bridge.rs`` — ccc_kdf_derive() * ``[x]`` ``bridge.rs`` — ccc_mac_compute() / ccc_mac_verify() * ``[x]`` ``bridge.rs`` — ccc_hash() * ``[x]`` ``bridge.rs`` — ccc_kem_generate_keypair() * ``[x]`` ``bridge.rs`` — ccc_kem_encapsulate() / ccc_kem_decapsulate() * ``[x]`` ``bridge.rs`` — ccc_self_test() * ``[x]`` ``lib.rs`` — module declarations * ``[x]`` ``flutter_rust_bridge.yaml`` — codegen config ---- Step 5 — Flutter Build Integration ------------------------------------ * ``[ ]`` Add ``flutter_rust_bridge: ^2`` to ``pubspec.yaml`` * ``[ ]`` Run ``flutter_rust_bridge_codegen generate`` * ``[ ]`` Verify generated ``flutter_src/lib/gen/rust/`` bindings * ``[ ]`` iOS plugin scaffold (``ios/`` dir, cargokit integration) * ``[ ]`` Android plugin scaffold (``android/`` dir, CMakeLists.txt) * ``[ ]`` macOS plugin scaffold (``macos/`` dir) * ``[ ]`` Confirm ``flutter build ios`` succeeds (static lib linked) * ``[ ]`` Confirm ``flutter build apk`` succeeds (cdylib linked) ---- Step 6 — Dart Layer Wiring --------------------------- * ``[ ]`` Wire ``crypto_wolfssl.dart`` ``encrypt()`` → ``ccc_aead_encrypt()`` * ``[ ]`` Wire ``crypto_wolfssl.dart`` ``decrypt()`` → ``ccc_aead_decrypt()`` * ``[ ]`` Convert ``CccProviderCatalog.capabilities`` to runtime-populated map * ``[ ]`` Call ``ccc_init()`` at app startup * ``[ ]`` Populate ``CccProviderCatalog`` from ``ccc_capabilities()`` * ``[ ]`` Create ``CccSelfTest`` Dart class (wraps ``ccc_self_test()``) * ``[ ]`` Expose self-test pass/fail diagnostics in app debug screen ---- Step 7 — Conformance Test Suite --------------------------------- * ``[x]`` ``tests/conformance/src/main.rs`` — NIST AES-256-GCM (2 vectors) * ``[x]`` ``tests/conformance/src/main.rs`` — RFC 8439 ChaCha20-Poly1305 * ``[x]`` ``tests/conformance/src/main.rs`` — RFC 5869 HKDF-SHA256 (2 vectors) * ``[x]`` ``tests/conformance/src/main.rs`` — RFC 4231 HMAC-SHA256 (2 vectors) * ``[x]`` ``tests/conformance/src/main.rs`` — FIPS hash vectors (SHA-256/512, SHA3-256, BLAKE2b) * ``[ ]`` Cross-provider conformance test (requires multiple providers) * ``[ ]`` ``cargo run -p ccc-conformance-tests`` passes (requires cmake) ---- Step 8 — Architecture Documentation -------------------------------------- * ``[ ]`` Create ``docs/phase4_rust_architecture.rst`` * ``[ ]`` Crate dependency graph (ASCII diagram) * ``[ ]`` "How to add a new provider" — 7-step trait checklist * ``[ ]`` ``algo: u32`` → cipher constant mapping table * ``[ ]`` Phase 8 stretch-goal provider list documented ---- Final Verification Gate ------------------------ * ``[ ]`` ``cargo test --workspace`` — all pass (requires cmake for wolfSSL) * ``[ ]`` ``cargo build --target aarch64-apple-ios`` — success * ``[ ]`` ``cargo build --target aarch64-linux-android`` — success * ``[ ]`` Flutter roundtrip integration test passes (1 KB encrypt/decrypt) * ``[ ]`` ``CccSelfTest.runAll()`` all-pass in app debug screen * ``[ ]`` Cross-provider conformance confirmed (``deterministic_io: true`` verified for AES-256-GCM and ChaCha20-Poly1305) ---- Phase 8 — Stretch Goal Providers (Future) ------------------------------------------ *(Out of scope for Phase 4. Tracked here for future scheduling.)* * ``[ ]`` libsodium (``sodiumoxide`` / ``safe_libsodium``) * ``[ ]`` OpenSSL (``openssl`` crate) * ``[ ]`` BoringSSL (``boring`` crate) * ``[ ]`` RustCrypto (pure-Rust, no native dep) * ``[ ]`` liboqs — ML-KEM, BIKE, HQC, Falcon, Dilithium, SPHINCS+ * ``[ ]`` Signal ``libsignal`` * ``[ ]`` Botan * ``[ ]`` mbedTLS * ``[ ]`` Nettle Legend ------ * ``[ ]`` Not started * ``[~]`` In progress * ``[x]`` Complete * ``[!]`` Blocked ---- Step 1 — Cargo Workspace Scaffold ---------------------------------- * ``[ ]`` Create ``Cargo.toml`` (workspace manifest, 3 members) * ``[ ]`` Create ``rust-toolchain.toml`` (stable, pinned version) * ``[ ]`` Create ``.cargo/config.toml`` (cross-compile target aliases) * ``[ ]`` Create ``vendors/README.md`` ---- Step 2 — ``ccc-crypto-core`` Trait Crate ----------------------------------------- * ``[ ]`` Create ``crates/ccc-crypto-core/Cargo.toml`` * ``[ ]`` ``algorithms.rs`` — AeadAlgorithm, KdfAlgorithm, MacAlgorithm, HashAlgorithm, KemAlgorithm enums (values == cipher_constants.dart) * ``[ ]`` ``capabilities.rs`` — AlgorithmCapability, ProviderCapabilities * ``[ ]`` ``error.rs`` — CryptoError enum * ``[ ]`` ``types.rs`` — KemKeyPair, SelfTestReport, BenchmarkReport, AlgoTestResult * ``[ ]`` ``provider.rs`` — AeadProvider, KdfProvider, MacProvider, HashProvider, KemProvider traits; CryptoProvider umbrella trait * ``[ ]`` ``registry.rs`` — ProviderRegistry (OnceLock>), register(), get(), list() * ``[ ]`` ``lib.rs`` — re-exports all public items * ``[ ]`` Unit tests for registry (register, get, list) ---- Step 3 — wolfSSL Submodule + ``ccc-crypto-wolfssl`` ----------------------------------------------------- * ``[ ]`` ``git submodule add`` wolfSSL → ``vendors/wolfssl`` * ``[ ]`` Pin submodule to ``v5.7.2-stable`` * ``[ ]`` Document pin in ``vendors/README.md`` * ``[ ]`` Create ``crates/ccc-crypto-wolfssl/Cargo.toml`` * ``[ ]`` ``aead.rs`` — AES-256-GCM implementation * ``[ ]`` encrypt_aead (AES-256-GCM) * ``[ ]`` decrypt_aead (AES-256-GCM) * ``[ ]`` encrypt_aead (ChaCha20-Poly1305) * ``[ ]`` decrypt_aead (ChaCha20-Poly1305) * ``[ ]`` ``kdf.rs`` — KDF implementations * ``[ ]`` HKDF-SHA256 * ``[ ]`` HKDF-SHA384 * ``[ ]`` HKDF-SHA512 * ``[ ]`` Argon2id * ``[ ]`` ``mac.rs`` — MAC implementations * ``[ ]`` HMAC-SHA256 * ``[ ]`` HMAC-SHA384 * ``[ ]`` HMAC-SHA512 * ``[ ]`` ``hash.rs`` — Hash implementations * ``[ ]`` SHA-256 / SHA-384 / SHA-512 * ``[ ]`` SHA3-256 / SHA3-512 * ``[ ]`` BLAKE2b-512 * ``[ ]`` ``kem.rs`` — KEM implementations * ``[ ]`` X25519 * ``[ ]`` X448 * ``[ ]`` ML-KEM-768 (conditional on PQ build) * ``[ ]`` ML-KEM-1024 (conditional on PQ build) * ``[ ]`` ``capabilities.rs`` — probe-at-startup per algorithm * ``[ ]`` ``capabilities.rs`` — benchmark() throughput micro-bench * ``[ ]`` ``provider.rs`` — WolfSslProvider: CryptoProvider impl * ``[ ]`` ``provider.rs`` — self_test() with embedded NIST vectors * ``[ ]`` Register WolfSslProvider in ProviderRegistry via init() * ``[ ]`` Unit tests for each implemented algorithm ---- Step 4 — ``ccc-flutter-bridge`` Entry-Point Crate --------------------------------------------------- * ``[ ]`` Create ``crates/ccc-flutter-bridge/Cargo.toml`` * ``[ ]`` Set ``crate-type = ["cdylib", "staticlib"]`` * ``[ ]`` Add ``flutter_rust_bridge`` dependency * ``[ ]`` ``dto.rs`` — CapabilitiesDto, KemKeyPairDto, KemEncapDto, SelfTestDto, AlgoTestResultDto * ``[ ]`` ``bridge.rs`` — ccc_init() * ``[ ]`` ``bridge.rs`` — ccc_list_providers() * ``[ ]`` ``bridge.rs`` — ccc_provider_capabilities() * ``[ ]`` ``bridge.rs`` — ccc_aead_encrypt() / ccc_aead_decrypt() * ``[ ]`` ``bridge.rs`` — ccc_derive_key() * ``[ ]`` ``bridge.rs`` — ccc_compute_mac() / ccc_verify_mac() * ``[ ]`` ``bridge.rs`` — ccc_hash() * ``[ ]`` ``bridge.rs`` — ccc_kem_generate_keypair() * ``[ ]`` ``bridge.rs`` — ccc_kem_encapsulate() / ccc_kem_decapsulate() * ``[ ]`` ``bridge.rs`` — ccc_self_test() * ``[ ]`` ``lib.rs`` — frb_generated module import ---- Step 5 — Flutter Build Integration ------------------------------------ * ``[ ]`` Add ``flutter_rust_bridge: ^2`` to ``pubspec.yaml`` * ``[ ]`` Run ``flutter_rust_bridge_codegen generate`` * ``[ ]`` Verify generated ``flutter_src/ccc_crypto_bindings/ccc_crypto.dart`` * ``[ ]`` iOS plugin scaffold (``ios/`` dir, cargokit integration) * ``[ ]`` Android plugin scaffold (``android/`` dir, CMakeLists.txt) * ``[ ]`` macOS plugin scaffold (``macos/`` dir) * ``[ ]`` Confirm ``flutter build ios`` succeeds (static lib linked) * ``[ ]`` Confirm ``flutter build apk`` succeeds (cdylib linked) ---- Step 6 — Dart Layer Wiring --------------------------- * ``[ ]`` Wire ``crypto_wolfssl.dart`` ``encrypt()`` → ``ccc_aead_encrypt()`` * ``[ ]`` Wire ``crypto_wolfssl.dart`` ``decrypt()`` → ``ccc_aead_decrypt()`` * ``[ ]`` Convert ``CccProviderCatalog.capabilities`` to runtime-populated map * ``[ ]`` Call ``ccc_init()`` at app startup * ``[ ]`` Populate ``CccProviderCatalog`` from ``ccc_provider_capabilities()`` * ``[ ]`` Create ``CccSelfTest`` Dart class (wraps ``ccc_self_test()``) * ``[ ]`` Expose self-test pass/fail diagnostics in app debug screen ---- Step 7 — Conformance Test Suite --------------------------------- * ``[ ]`` ``tests/conformance/aes_gcm_vectors.rs`` — NIST SP 800-38D vectors * ``[ ]`` ``tests/conformance/chacha_vectors.rs`` — RFC 8439 vectors * ``[ ]`` ``tests/conformance/hkdf_vectors.rs`` — RFC 5869 vectors * ``[ ]`` ``tests/conformance/hmac_vectors.rs`` — RFC 4231 vectors * ``[ ]`` ``tests/conformance/cross_provider.rs`` — wolfSSL output matches Dart ``cryptography`` reference output (byte-identity) * ``[ ]`` ``cargo test --workspace`` all pass ---- Step 8 — Architecture Documentation -------------------------------------- * ``[ ]`` Create ``docs/phase4_rust_architecture.rst`` * ``[ ]`` Crate dependency graph (ASCII diagram) * ``[ ]`` "How to add a new provider" — 7-step trait checklist * ``[ ]`` ``algo: u32`` → cipher constant mapping table * ``[ ]`` Phase 8 stretch-goal provider list documented ---- Final Verification Gate ------------------------ * ``[ ]`` ``cargo test --workspace`` — all pass * ``[ ]`` ``cargo build --target aarch64-apple-ios`` — success * ``[ ]`` ``cargo build --target aarch64-linux-android`` — success * ``[ ]`` Flutter roundtrip integration test passes (1 KB encrypt/decrypt) * ``[ ]`` ``CccSelfTest.runAll()`` all-pass in app debug screen * ``[ ]`` Cross-provider conformance confirmed (``deterministic_io: true`` verified for AES-256-GCM and ChaCha20-Poly1305) ---- Phase 8 — Stretch Goal Providers (Future) ------------------------------------------ *(Out of scope for Phase 4. Tracked here for future scheduling.)* * ``[ ]`` libsodium (``sodiumoxide`` / ``safe_libsodium``) * ``[ ]`` OpenSSL (``openssl`` crate) * ``[ ]`` BoringSSL (``boring`` crate) * ``[ ]`` RustCrypto (pure-Rust, no native dep) * ``[ ]`` liboqs — ML-KEM, BIKE, HQC, Falcon, Dilithium, SPHINCS+ * ``[ ]`` Signal ``libsignal`` * ``[ ]`` Botan * ``[ ]`` mbedTLS * ``[ ]`` Nettle