Move verification tests into a separate crate

djc · djc · commit 28ff3b3d4859 · 2025-09-09T08:27:16.000Z
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,5 +1,5 @@
 [workspace]
-members = ["rcgen", "rustls-cert-gen"]
+members = ["verify-tests", "rcgen", "rustls-cert-gen"]
 resolver = "2"
 
 [workspace.package]
diff --git a/rcgen/Cargo.toml b/rcgen/Cargo.toml
@@ -27,13 +27,6 @@ x509-parser = { workspace = true, features = ["verify"], optional = true }
 yasna = { workspace = true }
 zeroize = { workspace = true, optional = true }
 
-[dev-dependencies]
-botan = { workspace = true }
-pki-types = { workspace = true }
-ring = { workspace = true }
-rustls-webpki = { workspace = true }
-x509-parser = { workspace = true, features = ["verify"] }
-
 [target."cfg(unix)".dev-dependencies]
 openssl = { workspace = true }
 
diff --git a/verify-tests/Cargo.toml b/verify-tests/Cargo.toml
@@ -0,0 +1,31 @@
+[package]
+name = "verify-tests"
+version = "0.0.1"
+edition = { workspace = true }
+publish = false
+
+[features]
+default = []
+aws_lc_rs = ["rcgen/aws_lc_rs"]
+fips = ["rcgen/fips"]
+pem = ["dep:pem", "rcgen/pem"]
+ring = ["rcgen/ring"]
+x509-parser = ["dep:x509-parser", "rcgen/x509-parser"]
+
+[dependencies]
+aws-lc-rs = { workspace = true, optional = true }
+pem = { workspace = true, optional = true }
+rcgen = { path = "../rcgen", features = ["pem", "x509-parser"] }
+ring = { workspace = true }
+time = { workspace = true }
+x509-parser = { workspace = true, features = ["verify"], optional = true }
+yasna = { workspace = true }
+
+[dev-dependencies]
+pki-types = { workspace = true }
+rustls-webpki = { workspace = true }
+botan = { workspace = true }
+ring = { workspace = true }
+
+[target."cfg(unix)".dev-dependencies]
+openssl = { workspace = true }
diff --git a/verify-tests/src/lib.rs b/verify-tests/src/lib.rs
@@ -1,5 +1,3 @@
-#![cfg(feature = "crypto")]
-
 use time::{Duration, OffsetDateTime};
 
 use rcgen::{BasicConstraints, Certificate, CertificateParams, Issuer, KeyPair};
@@ -13,7 +11,6 @@ use rcgen::{KeyUsagePurpose, RevocationReason, RevokedCertParams, SerialNumber};
 // to the test_webpki_25519 test and panicing explicitly.
 // This is a "v2" key containing the public key as well as the
 // private one.
-#[allow(unused)]
 pub const ED25519_TEST_KEY_PAIR_PEM_V2: &str = r#"
 -----BEGIN PRIVATE KEY-----
 MFMCAQEwBQYDK2VwBCIEIC2pHJYjFHhK8V7mj6BnHWUVMS4CRolUlDdRXKCtguDu
@@ -23,7 +20,6 @@ oSMDIQDrvH/x8Nx9untsuc6ET+ce3w7PSuLY8BLWcHdXDGvkQA==
 // Generated with `openssl genpkey -algorithm ED25519`
 // A "v1" key as it doesn't contain the public key (which can be
 // derived from the private one)
-#[allow(unused)]
 pub const ED25519_TEST_KEY_PAIR_PEM_V1: &str = r#"
 -----BEGIN PRIVATE KEY-----
 MC4CAQAwBQYDK2VwBCIEIDSat0MacDt2fokpnzuBaXvAQR6RJGS9rgIYOU2mZKld
@@ -36,8 +32,6 @@ Generated by: openssl genpkey -algorithm RSA \
  -pkeyopt rsa_keygen_pubexp:65537 | \
  openssl pkcs8 -topk8 -nocrypt -outform pem
 */
-#[allow(dead_code)] // Used in some but not all test compilation units.
-#[cfg(feature = "pem")]
 pub const RSA_TEST_KEY_PAIR_PEM: &str = r#"
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYjmgyV3/LSizJ
diff --git a/verify-tests/tests/botan.rs b/verify-tests/tests/botan.rs
@@ -1,4 +1,4 @@
-#![cfg(all(feature = "crypto", feature = "x509-parser"))]
+#![cfg(feature = "x509-parser")]
 
 use time::{Duration, OffsetDateTime};
 
@@ -7,7 +7,7 @@ use rcgen::{CertificateRevocationListParams, RevocationReason, RevokedCertParams
 use rcgen::{DnValue, KeyPair};
 use rcgen::{KeyUsagePurpose, SerialNumber};
 
-mod util;
+use verify_tests as util;
 
 fn default_params() -> (CertificateParams, KeyPair) {
 	let (mut params, key_pair) = util::default_params();
diff --git a/verify-tests/tests/generic.rs b/verify-tests/tests/generic.rs
@@ -1,7 +1,3 @@
-#![cfg(feature = "crypto")]
-
-mod util;
-
 #[cfg(feature = "pem")]
 mod test_key_params_mismatch {
 	use std::collections::hash_map::DefaultHasher;
@@ -40,9 +36,8 @@ mod test_key_params_mismatch {
 
 #[cfg(feature = "x509-parser")]
 mod test_x509_custom_ext {
-	use crate::util;
-
 	use rcgen::CustomExtension;
+	use verify_tests as util;
 	use x509_parser::oid_registry::asn1_rs;
 	use x509_parser::prelude::{
 		FromDer, ParsedCriAttribute, X509Certificate, X509CertificationRequest,
@@ -166,7 +161,7 @@ mod test_csr_custom_attributes {
 
 #[cfg(feature = "x509-parser")]
 mod test_x509_parser_crl {
-	use crate::util;
+	use verify_tests as util;
 	use x509_parser::extensions::{DistributionPointName, ParsedExtension};
 	use x509_parser::num_bigint::BigUint;
 	use x509_parser::prelude::{FromDer, GeneralName, IssuingDistributionPoint, X509Certificate};
@@ -248,7 +243,7 @@ mod test_x509_parser_crl {
 
 #[cfg(feature = "x509-parser")]
 mod test_parse_crl_dps {
-	use crate::util;
+	use verify_tests as util;
 	use x509_parser::extensions::{DistributionPointName, ParsedExtension};
 
 	#[test]
@@ -425,12 +420,11 @@ mod test_csr {
 
 #[cfg(feature = "x509-parser")]
 mod test_subject_alternative_name_criticality {
+	use verify_tests::default_params;
 	use x509_parser::certificate::X509Certificate;
 	use x509_parser::extensions::X509Extension;
 	use x509_parser::{oid_registry, parse_x509_certificate};
 
-	use crate::util::default_params;
-
 	#[test]
 	fn with_subject_sans_not_critical() {
 		let (params, keypair) = default_params();
diff --git a/verify-tests/tests/openssl.rs b/verify-tests/tests/openssl.rs
@@ -1,4 +1,4 @@
-#![cfg(all(unix, feature = "pem"))]
+#![cfg(unix)]
 
 use std::cell::RefCell;
 use std::io::{Error, ErrorKind, Read, Result as ioResult, Write};
@@ -16,8 +16,7 @@ use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, DnType, DnValue, GeneralSubtree, IsCa,
 	Issuer, KeyPair, NameConstraints,
 };
-
-mod util;
+use verify_tests as util;
 
 fn verify_cert_basic(cert: &Certificate) {
 	let cert_pem = cert.pem();
@@ -502,7 +501,7 @@ fn test_openssl_crl_dps_parse() {
 }
 
 #[test]
-#[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
+#[cfg(feature = "aws_lc_rs")]
 fn test_openssl_pkcs1_and_sec1_keys() {
 	use openssl::ec::{EcGroup, EcKey};
 	use openssl::nid::Nid;
diff --git a/verify-tests/tests/webpki.rs b/verify-tests/tests/webpki.rs
@@ -1,5 +1,3 @@
-#![cfg(feature = "crypto")]
-
 use std::time::Duration as StdDuration;
 
 use pki_types::{CertificateDer, ServerName, SignatureVerificationAlgorithm, UnixTime};
@@ -22,7 +20,7 @@ use rcgen::{CertificateRevocationListParams, RevocationReason, RevokedCertParams
 use rcgen::{CertificateSigningRequestParams, DnValue};
 use rcgen::{ExtendedKeyUsagePurpose, KeyUsagePurpose, SerialNumber};
 
-mod util;
+use verify_tests as util;
 
 fn sign_msg_ecdsa(key_pair: &KeyPair, msg: &[u8], alg: &'static EcdsaSigningAlgorithm) -> Vec<u8> {
 	let pk_der = key_pair.serialize_der();
@@ -52,6 +50,7 @@ fn sign_msg_rsa(key_pair: &KeyPair, msg: &[u8], encoding: &'static dyn RsaEncodi
 	signature
 }
 
+#[cfg_attr(not(feature = "pem"), allow(unused))]
 fn check_cert<'a, 'b, S: SigningKey + 'a>(
 	cert_der: &CertificateDer<'_>,
 	cert: &'a Certificate,
