Ensure cargo test passes with aws-lc-rs alone

Ensure `cargo package` works with --all-features, otherwise
optional modules could be missing from the list in Cargo.toml!

Author: ctz

.github/workflows/ci.yml

@@ -99,7 +99,7 @@ jobs:
       - name: Install rust toolchain
         uses: dtolnay/rust-toolchain@stable
 
-      - run: cargo package
+      - run: cargo package --all-features
 
   test:
     name: Build+test
@@ -111,6 +111,7 @@ jobs:
           - --features=alloc
           - --all-features
           - --no-default-features
+          - --no-default-features --features alloc,std,aws_lc_rs
 
         mode:
           - # debug
@@ -125,6 +126,7 @@ jobs:
           - features: # Default
           - features: --features=alloc
           - features: --no-default-features
+          - features: --no-default-features --features alloc,std,aws_lc_rs
           - features: --all-features
             mode: --release
           - features: --all-features
@@ -179,6 +181,23 @@ jobs:
             mode: # debug
             rust_channel: stable
             host_os: ubuntu-latest
+
+          # check aws-lc-rs alone
+          - features: --no-default-features --features alloc,std,aws_lc_rs
+            mode: # debug
+            rust_channel: stable
+            host_os: macos-latest
+
+          - features: --no-default-features --features alloc,std,aws_lc_rs
+            mode: # debug
+            rust_channel: stable
+            host_os: windows-latest
+
+          - features: --no-default-features --features alloc,std,aws_lc_rs
+            mode: # debug
+            rust_channel: stable
+            host_os: ubuntu-latest
+
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
@@ -190,6 +209,10 @@ jobs:
         with:
           toolchain: ${{ matrix.rust_channel }}
 
+      - name: Install NASM for aws-lc-rs on Windows
+        if: runner.os == 'Windows'
+        uses: ilammy/setup-nasm@v1
+
       - name: cargo test (${{ matrix.mode }}, ${{ matrix.features }})
         run: cargo test -vv ${{ matrix.features }} ${{ matrix.mode }} -- --ignored
         env:

tests/better_tls.rs

@@ -1,4 +1,4 @@
-#![cfg(feature = "ring")]
+#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
 
 use core::time::Duration;
 use std::collections::HashMap;
@@ -9,9 +9,17 @@ use bzip2::read::BzDecoder;
 use pki_types::UnixTime;
 use serde::Deserialize;
 
-use webpki::types::{CertificateDer, TrustAnchor};
+use webpki::types::{CertificateDer, SignatureVerificationAlgorithm, TrustAnchor};
 use webpki::{extract_trust_anchor, KeyUsage, SubjectNameRef};
 
+// All of the BetterTLS testcases use P256 keys.
+static ALGS: &[&dyn SignatureVerificationAlgorithm] = &[
+    #[cfg(feature = "ring")]
+    webpki::ring::ECDSA_P256_SHA256,
+    #[cfg(feature = "aws_lc_rs")]
+    webpki::aws_lc_rs::ECDSA_P256_SHA256,
+];
+
 #[ignore] // Runs slower than other unit tests - opt-in with `cargo test -- --ignored`
 #[test]
 fn path_building() {
@@ -69,7 +77,7 @@ fn run_testsuite(suite_name: &str, suite: &BetterTlsSuite, roots: &[TrustAnchor]
 
         let result = ee_cert
             .verify_for_usage(
-                &[webpki::ring::ECDSA_P256_SHA256], // All of the BetterTLS testcases use P256 keys.
+                ALGS,
                 roots,
                 intermediates,
                 now,

tests/client_auth_revocation.rs

@@ -12,16 +12,23 @@
 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-#![cfg(feature = "ring")]
+#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
 
 use core::time::Duration;
 
-use pki_types::{CertificateDer, UnixTime};
+use pki_types::{CertificateDer, SignatureVerificationAlgorithm, UnixTime};
 use webpki::{
     extract_trust_anchor, KeyUsage, RevocationCheckDepth, RevocationOptions,
     RevocationOptionsBuilder,
 };
 
+static ALGS: &[&dyn SignatureVerificationAlgorithm] = &[
+    #[cfg(feature = "ring")]
+    webpki::ring::ECDSA_P256_SHA256,
+    #[cfg(feature = "aws_lc_rs")]
+    webpki::aws_lc_rs::ECDSA_P256_SHA256,
+];
+
 fn check_cert(
     ee: &[u8],
     intermediates: &[&[u8]],
@@ -39,7 +46,7 @@ fn check_cert(
         .collect::<Vec<_>>();
 
     cert.verify_for_usage(
-        &[webpki::ring::ECDSA_P256_SHA256],
+        ALGS,
         anchors,
         &intermediates,
         time,

tests/integration.rs

@@ -12,7 +12,7 @@
 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-#![cfg(feature = "ring")]
+#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
 
 use core::time::Duration;
 

tests/signatures.rs

@@ -12,9 +12,11 @@
 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-#![cfg(feature = "ring")]
+#![cfg(any(feature = "ring", feature = "aws_lc_rs"))]
 
 use pki_types::{CertificateDer, SignatureVerificationAlgorithm};
+
+#[cfg(feature = "ring")]
 use webpki::ring::{
     ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
 };
@@ -25,6 +27,14 @@ use webpki::ring::{
     RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
 };
 
+#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+use webpki::aws_lc_rs::{
+    ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
+    RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
+    RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
+    RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+};
+
 #[cfg(feature = "alloc")]
 fn check_sig(
     ee: &[u8],