There is a need, among server-side apps, for cryptographic functionality outside of what Swift Crypto currently provides. For Vapor specifically, some examples of this include RSA (MySQL and JWT) and Bcrypt (Vapor). In order to provide RSA specifically, Vapor, like SwiftCrypto itself, embeds a namespaced version of BoringSSL.
Vapor cannot use SwiftCrypto's private copy of BoringSSL directly because BoringSSL does not have a stable API. This means any Vapor app using packages like JWTKit or MySQL will need to download and compile BoringSSL n times. Not only does this increase build time and binary size, it also presents extra maintenance burden for our packages.
I have a couple of ideas for avoiding these issues:
1: SwiftCrypto adds a new module, CryptoExtras, that offers an API for highly requested features like RSA. This API could be listed as unsafe. By being in a separate, OSS-only module, this would avoid breaking API compatibility with Apple's proprietary CryptoKit library.
This solution is ideal as it would minimize the copies of BoringSSL to one.
2: This idea is essentially the same idea as (1) but with the module in a separate package. This would require two copies of BoringSSL, but would at least prevent the number from continuing to grow beyond that. This may be a reasonable compromise if there is concern about offering an unsafe / unofficial module as a part of the official SwiftCrypto package.
I'm very interested for feedback on these ideas and also: What else should be included in a CryptoExtras module?