Cryptography
Every cryptographic primitive in Omitly, drawn directly from our cryptographic
bill of materials (CBOM v1). We publish this so a reviewer can
evaluate exactly what we use and how โ not take our word for it.
On FIPS: where an algorithm is FIPS-approved, our implementation is not
a CMVP-validated module. We state this as "approved algorithm, non-validated
implementation" throughout โ never "FIPS compliant."
Tamper-evidence seal โ signing & verification
| Primitive | signature ยท Ed25519 |
| Implementation | ed25519-dalek 2 |
| Purpose | Signs the entire delivered PDF (trailing %%OMITLY-SEAL appendix); verify_strict rejects non-canonical/malleable signatures. Per-install key โ integrity, not identity (see CLAUDE.md invariant #2). |
| FIPS posture | FIPS 186-5 approved algorithm; ed25519-dalek is NOT a CMVP-validated module. State "approved algorithm, non-validated implementation" โ never "FIPS compliant". |
| Source | src-tauri/src/seal.rs |
Offline license verification
| Primitive | signature ยท Ed25519 |
| Implementation | ed25519-dalek 2 |
| Purpose | Verifies Omitly Pro license signatures fully offline, no network, no PII. |
| FIPS posture | Same posture as the seal above โ FIPS 186-5 approved algorithm, non-validated implementation. |
| Source | crates/licensing/src/lib.rs |
Document / report hashing
| Primitive | hash |
| Implementation | sha2 0.10 |
| Purpose | Audit-report and delivered-bytes hashing feeding the seal + license verification digests. |
| FIPS posture | FIPS 180-4 approved algorithm; sha2 is NOT a CMVP-validated module. |
| Source | src-tauri/src/seal.rs, crates/licensing/src/lib.rs |
PAdES signing โ CMS SignedData
| Implementation | cryptographic-message-syntax 0.28 |
| Purpose | Builds RFC 5652 CMS SignedData over a BYOC (bring-your-own-certificate) RSA or ECDSA key for PAdES interop with real-world PDF viewers (Acrobat). The crate does not fix one algorithm โ RSA vs ECDSA is determined by the imported certificate. Composes with, never precedes, the Ed25519 seal (CLAUDE.md invariant #6). Algorithm floors: SHA-1-issued certs and RSA <2048 bits are refused outright; RSA <3072 warns (NIST SP 800-131A / ASD ISM). Revocation (OCSP/CRL) is NOT checked in this milestone. |
| Source | src-tauri/src/sign.rs |
X.509 certificate parsing
| Implementation | x509-certificate 0.25 |
| Purpose | Parses/validates imported signing certificates for PAdES (algorithm floor + expiry re-checked at sign time, not just import โ CLAUDE.md invariant #9). |
| Source | src-tauri/src/sign.rs |
Crypto backend for CMS/X.509
| Primitive | other |
| Implementation | ring 0.17 |
| Purpose | Direct dependency of both cryptographic-message-syntax and x509-certificate (confirmed via Cargo.lock reverse-dependency trace, not assumed) โ the actual crypto backend behind their CMS/X.509 operations, not just a transitive pull-through. |
Signing-key seed generation
| Primitive | drbg |
| Implementation | getrandom 0.2 |
| Purpose | Seeds the per-install Ed25519 seal signing key. |
| FIPS posture | OS-provided CSPRNG accessed via getrandom, not a crate-implemented DRBG construction โ closest available CycloneDX primitive, noted here for precision. |
| Source | src-tauri/src/seal.rs |
Post-quantum
Omitly's signatures (Ed25519) are classical. The tamper-evidence seal and
licence signatures are integrity mechanisms with short-lived trust
relationships, not long-term confidentiality โ a harvest-now-decrypt-later
adversary gains nothing, as no document content is ever encrypted or
transmitted. We track NIST PQC standardization and will publish a migration
statement before it is materially relevant to this threat model.