Skip to content

Optionally support aws-lc-rs#158

Merged
ctz merged 12 commits intomainfrom
jbp-aws-lc-rs-support
Sep 20, 2023
Merged

Optionally support aws-lc-rs#158
ctz merged 12 commits intomainfrom
jbp-aws-lc-rs-support

Conversation

@ctz
Copy link
Member

@ctz ctz commented Aug 30, 2023
edited
Loading

This passes the same set of testing as ring. I haven't tested performance.

(I've removed some of the novel code-reuse via super:: present in prior versions of this PR, because aws-lc-rs does not gate RSA on the alloc feature. That was a detail I think worth getting right, but means quite a bit of similarity between aws_ls_rs_algs.rs and ring_algs.rs. But I am using a similar trick to reuse the test code.)

@codecov
Copy link

codecov bot commented Aug 30, 2023
edited
Loading

Codecov Report

Merging #158 (45b74d0) into main (16a9127) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main     #158   +/-   ##
=======================================
  Coverage   96.33%   96.34%           
=======================================
  Files          17       19    +2     
  Lines        4524     4536   +12     
=======================================
+ Hits         4358     4370   +12     
  Misses        166      166
Files Changed Coverage Δ
src/ring_algs.rs 100.00% <ø> (ø)
src/test_utils.rs 100.00% <ø> (ø)
src/alg_tests.rs 100.00% <100.00%> (ø)
src/aws_lc_rs_algs.rs 100.00% <100.00%> (ø)
src/verify_cert.rs 97.35% <100.00%> (-0.01%) ⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

cpu
cpu reviewed Aug 30, 2023
View reviewed changes
Copy link
Member

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great 🚀

Build currently known-broken on windows. This will be stuck as a draft until then.

Is there a path forward in the event Windows support in the upstream crate isn't prioritized?

The first commit is somewhat odd/novel, to allow a single file to be used twice with different dependencies, resolved via super::lib. Interested in any alternatives to that!

It seems like a reasonable approach to me but I'm not sure I have the experience to see any lurking danger from the novelty. Was there a particular reason you were interested in alternatives that would be good to know about?

src/lib.rs Outdated
Comment on lines 99 to 102
/// An array of all the verification algorithms exported by this crate.
///
/// This will be empty if the crate is built without the `ring` feature.
pub static ALL_VERIFICATION_ALGS: &[&dyn SignatureVerificationAlgorithm] = &[
Copy link
Member

@cpu cpu Aug 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! It's been gross seeing variations of this replicating across various tests 😅

djc
djc reviewed Aug 31, 2023
View reviewed changes
tests/signatures.rs Outdated
webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
webpki::ring::ECDSA_P256_SHA256,
Copy link
Member

@djc djc Aug 31, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could/should these (and the other long lists in tests) use ALL_?

Copy link
Member Author

@ctz ctz Sep 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some of these lists are things like "all the algorithms except RSA_PSS_2048_8192_SHA256_LEGACY_KEY" which could be addressed by filtering the ALL_ list and removing the desired one? probably not going to do that in this PR, but will keep it in mind for a later refactor

@ctz ctz mentioned this pull request Sep 13, 2023
Merged
@cpu
Copy link
Member

cpu commented Sep 14, 2023

Could this be revived in a non-draft status now that the upstream fixed Windows support or are we waiting for a release tag there? 🤔

I think it's important to get this into the blocking list for #159

@cpu cpu mentioned this pull request Sep 14, 2023
Closed
13 tasks
@ctz ctz force-pushed the jbp-aws-lc-rs-support branch 4 times, most recently from 9759e1a to 84436a0 Compare September 15, 2023 13:22
@ctz ctz marked this pull request as ready for review September 15, 2023 13:26
@ctz
Copy link
Member Author

ctz commented Sep 15, 2023

nb. coverage job is broken due to nightly breaking time; see time-rs/time#618

@ctz ctz marked this pull request as draft September 15, 2023 14:36
@ctz
Copy link
Member Author

ctz commented Sep 15, 2023

Apologies, CI is telling me this is not completely baked!

@ctz ctz force-pushed the jbp-aws-lc-rs-support branch 3 times, most recently from 5d69116 to de84af0 Compare September 15, 2023 15:46
@ctz ctz marked this pull request as ready for review September 15, 2023 15:50
cpu
cpu approved these changes Sep 18, 2023
View reviewed changes
src/verify_cert.rs Outdated
}

#[cfg(test)]
#[cfg(all(test, feature = "alloc", feature = "ring"))]
Copy link
Member

@cpu cpu Sep 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍 I also moved to a module-wide requirement for alloc in #179

src/test_utils.rs
rcgen::Certificate::from_params(ca_params).unwrap()
}

#[cfg_attr(not(feature = "ring"), allow(dead_code))]
Copy link
Member

@cpu cpu Sep 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think with the refactoring I did in #178 this will fall away because end_entity.rs's printable_string_common_name test will use the make_end_entity helper from a test that doesn't require ring 🤞

ctz added 11 commits September 20, 2023 10:32
@ctz
Defend cargo test without ring
6ff143a
@ctz
verify_cert.rs: don't try tests without ring
68680e1
@ctz
client_auth.rs: don't try without ring
6a3baae
@ctz
test_utils.rs: make_end_entity is not referenced without ring
8313d38
@ctz
Extract algorithm tests from ring_algs.rs
3f1c857
@ctz
Extract feature-gated configuration from alg_tests.rs
437519b
@ctz
Export array of all predefined SignatureVerificationAlgorithms
d139225 
This avoids quite a bit of repetition in tests, and addresses the
case that a consuming crate wants to use the full set of predefined
algorithms but doesn't much care what they are.
@ctz
tests/signatures.rs: import algorithms at top
bf2d36a
@ctz
Export *ring*-backed signature algorithms in crate::ring.
eaed18c 
This is a breaking change -- previously these were in the
crate root.

This is necessary to keep crate features additive: the
`ring` crate feature provides this set of items.
@ctz
Add aws-lc-rs as optional dependency
8890ddc 
Export SignatureVerificationAlgorithms backed by it in webpki::aws_lc_rs
@ctz
Enable test coverage with aws-lc-rs
3e672ae 
When run with --feature aws_lc_rs but not --feature ring,
use aws-lc-rs to run the same set of tests.
@ctz
Exercise aws-lc-rs in CI
45b74d0 
- ensure `cargo package` works with --all-features, otherwise
  optional modules could be missing from the list in Cargo.toml.
- install nasm on windows for aws-lc-rs
- run tests against aws-lc-rs on all platforms
@ctz ctz force-pushed the jbp-aws-lc-rs-support branch from de84af0 to 45b74d0 Compare September 20, 2023 09:55
@ctz ctz added this pull request to the merge queue Sep 20, 2023
Merged via the queue into main with commit 4902b1d Sep 20, 2023
@ctz ctz deleted the jbp-aws-lc-rs-support branch September 20, 2023 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc left review comments

@cpu cpu cpu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ctz @cpu @djc