Ensure cargo test passes with aws-lc-rs alone

ctz · ctz · commit de84af0507fb · 2023-09-15T16:46:26.000+01:00
Ensure `cargo package` works with --all-features, otherwise
optional modules could be missing from the list in Cargo.toml!
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -99,7 +99,7 @@ jobs:
       - name: Install rust toolchain
         uses: dtolnay/rust-toolchain@stable
 
-      - run: cargo package
+      - run: cargo package --all-features
 
   test:
     name: Build+test
@@ -111,6 +111,7 @@ jobs:
           - --features=alloc
           - --all-features
           - --no-default-features
+          - --no-default-features --features alloc,std,aws_lc_rs
 
         mode:
           - # debug
@@ -126,6 +127,7 @@ jobs:
           - features: --features=alloc
           - features: --no-default-features
           - features: --no-default-features --features alloc,std
+          - features: --no-default-features --features alloc,std,aws_lc_rs
           - features: --all-features
             mode: --release
           - features: --all-features
@@ -185,6 +187,23 @@ jobs:
             mode: # debug
             rust_channel: stable
             host_os: ubuntu-latest
+
+          # check aws-lc-rs alone
+          - features: --no-default-features --features alloc,std,aws_lc_rs
+            mode: # debug
+            rust_channel: stable
+            host_os: macos-latest
+
+          - features: --no-default-features --features alloc,std,aws_lc_rs
+            mode: # debug
+            rust_channel: stable
+            host_os: windows-latest
+
+          - features: --no-default-features --features alloc,std,aws_lc_rs
+            mode: # debug
+            rust_channel: stable
+            host_os: ubuntu-latest
+
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
@@ -196,6 +215,10 @@ jobs:
         with:
           toolchain: ${{ matrix.rust_channel }}
 
+      - name: Install NASM for aws-lc-rs on Windows
+        if: runner.os == 'Windows'
+        uses: ilammy/setup-nasm@v1
+
       - name: cargo test (${{ matrix.mode }}, ${{ matrix.features }})
         run: cargo test -vv ${{ matrix.features }} ${{ matrix.mode }} -- --ignored
         env:
diff --git a/src/verify_cert.rs b/src/verify_cert.rs
@@ -495,7 +495,7 @@ enum Role {
     EndEntity,
 }
 
-#[cfg(all(test, feature = "alloc", feature = "ring"))]
+#[cfg(all(test, feature = "alloc", any(feature = "ring", feature = "aws_lc_rs")))]
 mod tests {
     use super::*;
     use crate::test_utils::{make_end_entity, make_issuer};
diff --git a/tests/better_tls.rs b/tests/better_tls.rs
@@ -1,4 +1,4 @@
-#![cfg(feature = "ring")]
+#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
 
 use core::time::Duration;
 use std::collections::HashMap;
@@ -9,9 +9,17 @@ use bzip2::read::BzDecoder;
 use pki_types::UnixTime;
 use serde::Deserialize;
 
-use webpki::types::{CertificateDer, TrustAnchor};
+use webpki::types::{CertificateDer, SignatureVerificationAlgorithm, TrustAnchor};
 use webpki::{extract_trust_anchor, KeyUsage, SubjectNameRef};
 
+// All of the BetterTLS testcases use P256 keys.
+static ALGS: &[&dyn SignatureVerificationAlgorithm] = &[
+    #[cfg(feature = "ring")]
+    webpki::ring::ECDSA_P256_SHA256,
+    #[cfg(feature = "aws_lc_rs")]
+    webpki::aws_lc_rs::ECDSA_P256_SHA256,
+];
+
 #[ignore] // Runs slower than other unit tests - opt-in with `cargo test -- --ignored`
 #[test]
 fn path_building() {
@@ -69,7 +77,7 @@ fn run_testsuite(suite_name: &str, suite: &BetterTlsSuite, roots: &[TrustAnchor]
 
         let result = ee_cert
             .verify_for_usage(
-                &[webpki::ring::ECDSA_P256_SHA256], // All of the BetterTLS testcases use P256 keys.
+                ALGS,
                 roots,
                 intermediates,
                 now,
diff --git a/tests/client_auth.rs b/tests/client_auth.rs
@@ -12,7 +12,7 @@
 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-#![cfg(all(feature = "alloc", feature = "ring"))]
+#![cfg(all(feature = "alloc", any(feature = "ring", feature = "aws_lc_rs")))]
 
 use core::time::Duration;
 use pki_types::{CertificateDer, UnixTime};
diff --git a/tests/client_auth_revocation.rs b/tests/client_auth_revocation.rs
@@ -12,16 +12,23 @@
 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-#![cfg(feature = "ring")]
+#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
 
 use core::time::Duration;
 
-use pki_types::{CertificateDer, UnixTime};
+use pki_types::{CertificateDer, SignatureVerificationAlgorithm, UnixTime};
 use webpki::{
     extract_trust_anchor, KeyUsage, RevocationCheckDepth, RevocationOptions,
     RevocationOptionsBuilder,
 };
 
+static ALGS: &[&dyn SignatureVerificationAlgorithm] = &[
+    #[cfg(feature = "ring")]
+    webpki::ring::ECDSA_P256_SHA256,
+    #[cfg(feature = "aws_lc_rs")]
+    webpki::aws_lc_rs::ECDSA_P256_SHA256,
+];
+
 fn check_cert(
     ee: &[u8],
     intermediates: &[&[u8]],
@@ -39,7 +46,7 @@ fn check_cert(
         .collect::<Vec<_>>();
 
     cert.verify_for_usage(
-        &[webpki::ring::ECDSA_P256_SHA256],
+        ALGS,
         anchors,
         &intermediates,
         time,
diff --git a/tests/custom_ekus.rs b/tests/custom_ekus.rs
@@ -1,4 +1,4 @@
-#![cfg(all(feature = "alloc", feature = "ring"))]
+#![cfg(all(feature = "alloc", any(feature = "ring", feature = "aws_lc_rs")))]
 
 use core::time::Duration;
 
diff --git a/tests/integration.rs b/tests/integration.rs
@@ -12,7 +12,7 @@
 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-#![cfg(feature = "ring")]
+#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
 
 use core::time::Duration;
 
diff --git a/tests/signatures.rs b/tests/signatures.rs
@@ -12,7 +12,7 @@
 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-#![cfg(feature = "ring")]
+#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
 
 use pki_types::{CertificateDer, SignatureVerificationAlgorithm};
 #[cfg(feature = "ring")]
@@ -26,6 +26,14 @@ use webpki::ring::{
     RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
 };
 
+#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+use webpki::aws_lc_rs::{
+    ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
+    RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
+    RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
+    RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+};
+
 #[cfg(feature = "alloc")]
 fn check_sig(
     ee: &[u8],
diff --git a/tests/tls_server_certs.rs b/tests/tls_server_certs.rs
@@ -11,7 +11,7 @@
 // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-#![cfg(all(feature = "alloc", feature = "ring"))]
+#![cfg(all(feature = "alloc", any(feature = "ring", feature = "aws_lc_rs")))]
 
 use core::time::Duration;
 

Original file line number	Diff line number	Diff line change
`@@ -495,7 +495,7 @@ enum Role {`
`495`	`495`	`EndEntity,`
`496`	`496`	`}`
`497`	`497`
`498`		`-#[cfg(all(test, feature = "alloc", feature = "ring"))]`
	`498`	`+#[cfg(all(test, feature = "alloc", any(feature = "ring", feature = "aws_lc_rs")))]`
`499`	`499`	`mod tests {`
`500`	`500`	`use super::*;`
`501`	`501`	`use crate::test_utils::{make_end_entity, make_issuer};`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-#![cfg(all(feature = "alloc", feature = "ring"))]`
	`1`	`+#![cfg(all(feature = "alloc", any(feature = "ring", feature = "aws_lc_rs")))]`
`2`	`2`
`3`	`3`	`use core::time::Duration;`
`4`	`4`