diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f657933..0c749001 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,8 +13,26 @@ env: RUSTFLAGS: -D warnings jobs: + format-unstable: + name: Format (unstable) + runs-on: ubuntu-latest + steps: + - name: Checkout sources + uses: actions/checkout@v5 + with: + persist-credentials: false + - name: Install rust nightly toolchain + uses: dtolnay/rust-toolchain@master + with: + toolchain: nightly + components: rustfmt + - name: Check formatting (unstable) + run: cargo fmt --all -- --check --config-path .rustfmt.unstable.toml + - if: ${{ failure() }} + run: echo "Nightly formatting check failed. Please run \`cargo +nightly fmt --config-path .rustfmt.unstable.toml\`" + lint: - name: Format & clippy + name: Clippy runs-on: ubuntu-latest continue-on-error: true steps: @@ -25,8 +43,7 @@ jobs: - name: Install rust toolchain uses: dtolnay/rust-toolchain@stable with: - components: clippy, rustfmt - - run: cargo fmt -- --check + components: clippy # `fips` and `aws_lc_rs_unstable` cannot be used together, so avoid `--all-features` - run: cargo clippy --features ring,pem,x509-parser --all-targets # rustls-cert-gen require either aws_lc_rs or ring feature diff --git a/.rustfmt.toml b/.rustfmt.toml index 56786628..902647d7 100644 --- a/.rustfmt.toml +++ b/.rustfmt.toml @@ -1,2 +1,3 @@ +# keep in sync with .rustfmt.unstable.toml hard_tabs = true match_block_trailing_comma = true diff --git a/.rustfmt.unstable.toml b/.rustfmt.unstable.toml new file mode 100644 index 00000000..43be1c35 --- /dev/null +++ b/.rustfmt.unstable.toml @@ -0,0 +1,7 @@ +# keep in sync with .rustfmt.toml +hard_tabs = true +match_block_trailing_comma = true + +# format imports +group_imports = "StdExternalCrate" +imports_granularity = "Module" \ No newline at end of file diff --git a/rcgen/examples/rsa-irc-openssl.rs b/rcgen/examples/rsa-irc-openssl.rs index 12fceae7..aacb1791 100644 --- a/rcgen/examples/rsa-irc-openssl.rs +++ b/rcgen/examples/rsa-irc-openssl.rs @@ -1,9 +1,10 @@ #[cfg(unix)] fn main() -> Result<(), Box> { - use rcgen::{date_time_ymd, CertificateParams, DistinguishedName}; use std::fmt::Write; use std::fs; + use rcgen::{date_time_ymd, CertificateParams, DistinguishedName}; + let mut params: CertificateParams = Default::default(); params.not_before = date_time_ymd(2021, 5, 19); params.not_after = date_time_ymd(4096, 1, 1); diff --git a/rcgen/examples/sign-leaf-with-ca.rs b/rcgen/examples/sign-leaf-with-ca.rs index 23be6771..bfa08eeb 100644 --- a/rcgen/examples/sign-leaf-with-ca.rs +++ b/rcgen/examples/sign-leaf-with-ca.rs @@ -1,6 +1,7 @@ +use rcgen::DnValue::PrintableString; use rcgen::{ - BasicConstraints, Certificate, CertificateParams, DnType, DnValue::PrintableString, - ExtendedKeyUsagePurpose, IsCa, Issuer, KeyPair, KeyUsagePurpose, + BasicConstraints, Certificate, CertificateParams, DnType, ExtendedKeyUsagePurpose, IsCa, + Issuer, KeyPair, KeyUsagePurpose, }; use time::{Duration, OffsetDateTime}; diff --git a/rcgen/examples/simple.rs b/rcgen/examples/simple.rs index 927583a5..08558382 100644 --- a/rcgen/examples/simple.rs +++ b/rcgen/examples/simple.rs @@ -1,6 +1,7 @@ -use rcgen::{date_time_ymd, CertificateParams, DistinguishedName, DnType, KeyPair, SanType}; use std::fs; +use rcgen::{date_time_ymd, CertificateParams, DistinguishedName, DnType, KeyPair, SanType}; + fn main() -> Result<(), Box> { let mut params: CertificateParams = Default::default(); params.not_before = date_time_ymd(1975, 1, 1); diff --git a/rcgen/src/crl.rs b/rcgen/src/crl.rs index 57dad30d..379970a5 100644 --- a/rcgen/src/crl.rs +++ b/rcgen/src/crl.rs @@ -2,8 +2,7 @@ use pem::Pem; use pki_types::CertificateRevocationListDer; use time::OffsetDateTime; -use yasna::DERWriter; -use yasna::Tag; +use yasna::{DERWriter, Tag}; use crate::key_pair::sign_der; #[cfg(feature = "pem")] diff --git a/rcgen/src/csr.rs b/rcgen/src/csr.rs index 85b49eb8..4b400336 100644 --- a/rcgen/src/csr.rs +++ b/rcgen/src/csr.rs @@ -203,10 +203,11 @@ impl CertificateSigningRequestParams { #[cfg(all(test, feature = "x509-parser"))] mod tests { - use crate::{CertificateParams, ExtendedKeyUsagePurpose, KeyPair, KeyUsagePurpose}; use x509_parser::certification_request::X509CertificationRequest; use x509_parser::prelude::{FromDer, ParsedExtension}; + use crate::{CertificateParams, ExtendedKeyUsagePurpose, KeyPair, KeyUsagePurpose}; + #[test] fn dont_write_sans_extension_if_no_sans_are_present() { let mut params = CertificateParams::default(); diff --git a/rcgen/src/key_pair.rs b/rcgen/src/key_pair.rs index 95c1301d..839b049a 100644 --- a/rcgen/src/key_pair.rs +++ b/rcgen/src/key_pair.rs @@ -1,6 +1,8 @@ #[cfg(feature = "crypto")] use std::fmt; +#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))] +use aws_lc_rs::unstable::signature::PqdsaKeyPair; #[cfg(feature = "pem")] use pem::Pem; #[cfg(feature = "crypto")] @@ -22,13 +24,12 @@ use crate::ring_like::{ }, {ecdsa_from_pkcs8, rsa_key_pair_public_modulus_len}, }; +use crate::sign_algo::SignatureAlgorithm; #[cfg(feature = "crypto")] use crate::sign_algo::{algo::*, SignAlgo}; +use crate::Error; #[cfg(feature = "pem")] use crate::ENCODE_CONFIG; -use crate::{sign_algo::SignatureAlgorithm, Error}; -#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))] -use aws_lc_rs::unstable::signature::PqdsaKeyPair; /// A key pair variant #[allow(clippy::large_enum_variant)] @@ -679,10 +680,8 @@ impl SubjectPublicKeyInfo { /// Create a `SubjectPublicKey` value from DER-encoded SubjectPublicKeyInfo bytes #[cfg(feature = "x509-parser")] pub fn from_der(spki_der: &[u8]) -> Result { - use x509_parser::{ - prelude::FromDer, - x509::{AlgorithmIdentifier, SubjectPublicKeyInfo}, - }; + use x509_parser::prelude::FromDer; + use x509_parser::x509::{AlgorithmIdentifier, SubjectPublicKeyInfo}; let (rem, spki) = SubjectPublicKeyInfo::from_der(spki_der).map_err(|e| Error::X509(e.to_string()))?; @@ -762,11 +761,8 @@ pub(crate) fn serialize_public_key_der(key: &(impl PublicKeyData + ?Sized), writ #[cfg(all(test, feature = "crypto"))] mod test { use super::*; - - use crate::ring_like::{ - rand::SystemRandom, - signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING}, - }; + use crate::ring_like::rand::SystemRandom; + use crate::ring_like::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING}; #[cfg(all(feature = "x509-parser", feature = "pem"))] #[test] diff --git a/rcgen/src/lib.rs b/rcgen/src/lib.rs index c42f3d0b..83816182 100644 --- a/rcgen/src/lib.rs +++ b/rcgen/src/lib.rs @@ -41,18 +41,6 @@ use std::net::IpAddr; use std::net::{Ipv4Addr, Ipv6Addr}; use std::ops::Deref; -#[cfg(feature = "pem")] -use pem::Pem; -use pki_types::CertificateDer; -use time::{OffsetDateTime, Time}; -use yasna::models::ObjectIdentifier; -use yasna::models::{GeneralizedTime, UTCTime}; -use yasna::tags::{TAG_BMPSTRING, TAG_TELETEXSTRING, TAG_UNIVERSALSTRING}; -use yasna::DERWriter; -use yasna::Tag; - -use crate::string::{BmpString, Ia5String, PrintableString, TeletexString, UniversalString}; - pub use certificate::{ date_time_ymd, Attribute, BasicConstraints, Certificate, CertificateParams, CidrSubnet, CustomExtension, DnType, ExtendedKeyUsagePurpose, GeneralSubtree, IsCa, NameConstraints, @@ -65,14 +53,22 @@ pub use csr::{CertificateSigningRequest, CertificateSigningRequestParams, Public pub use error::{Error, InvalidAsn1String}; #[cfg(feature = "crypto")] pub use key_pair::KeyPair; -pub use key_pair::PublicKeyData; #[cfg(all(feature = "crypto", feature = "aws_lc_rs"))] pub use key_pair::RsaKeySize; -pub use key_pair::{SigningKey, SubjectPublicKeyInfo}; +pub use key_pair::{PublicKeyData, SigningKey, SubjectPublicKeyInfo}; +#[cfg(feature = "pem")] +use pem::Pem; +use pki_types::CertificateDer; #[cfg(feature = "crypto")] use ring_like::digest; pub use sign_algo::algo::*; pub use sign_algo::SignatureAlgorithm; +use time::{OffsetDateTime, Time}; +use yasna::models::{GeneralizedTime, ObjectIdentifier, UTCTime}; +use yasna::tags::{TAG_BMPSTRING, TAG_TELETEXSTRING, TAG_UNIVERSALSTRING}; +use yasna::{DERWriter, Tag}; + +use crate::string::{BmpString, Ia5String, PrintableString, TeletexString, UniversalString}; mod certificate; mod crl; @@ -987,10 +983,10 @@ mod tests { #[cfg(feature = "x509-parser")] mod test_ip_address_from_octets { - use super::super::ip_addr_from_octets; - use super::super::Error; use std::net::IpAddr; + use super::super::{ip_addr_from_octets, Error}; + #[test] fn ipv4() { let octets = [10, 20, 30, 40]; @@ -1035,10 +1031,12 @@ mod tests { #[cfg(feature = "x509-parser")] mod test_san_type_from_general_name { - use crate::SanType; use std::net::IpAddr; + use x509_parser::extensions::GeneralName; + use crate::SanType; + #[test] fn with_ipv4() { let octets = [1, 2, 3, 4]; diff --git a/rcgen/src/sign_algo.rs b/rcgen/src/sign_algo.rs index 2894cd5e..bc9d18b3 100644 --- a/rcgen/src/sign_algo.rs +++ b/rcgen/src/sign_algo.rs @@ -1,17 +1,16 @@ use std::fmt; use std::hash::{Hash, Hasher}; +#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))] +use aws_lc_rs::unstable::signature::{ + PqdsaSigningAlgorithm, ML_DSA_44_SIGNING, ML_DSA_65_SIGNING, ML_DSA_87_SIGNING, +}; use yasna::models::ObjectIdentifier; -use yasna::DERWriter; -use yasna::Tag; +use yasna::{DERWriter, Tag}; #[cfg(feature = "crypto")] use crate::ring_like::signature::{self, EcdsaSigningAlgorithm, EdDSAParameters, RsaEncoding}; use crate::Error; -#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))] -use aws_lc_rs::unstable::signature::{ - PqdsaSigningAlgorithm, ML_DSA_44_SIGNING, ML_DSA_65_SIGNING, ML_DSA_87_SIGNING, -}; #[cfg(feature = "crypto")] #[derive(Clone, Copy, Debug)] @@ -119,9 +118,8 @@ impl SignatureAlgorithm { /// The list of supported signature algorithms pub(crate) mod algo { - use crate::oid::*; - use super::*; + use crate::oid::*; /// RSA signing with PKCS#1 1.5 padding and SHA-256 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055) pub static PKCS_RSA_SHA256: SignatureAlgorithm = SignatureAlgorithm { diff --git a/rcgen/src/string.rs b/rcgen/src/string.rs index c133463d..cb7537b8 100644 --- a/rcgen/src/string.rs +++ b/rcgen/src/string.rs @@ -1,6 +1,7 @@ //! ASN.1 string types -use std::{fmt, str::FromStr}; +use std::fmt; +use std::str::FromStr; use crate::{Error, InvalidAsn1String}; diff --git a/rustls-cert-gen/src/cert.rs b/rustls-cert-gen/src/cert.rs index 624c71d5..ddee0042 100644 --- a/rustls-cert-gen/src/cert.rs +++ b/rustls-cert-gen/src/cert.rs @@ -1,10 +1,13 @@ -use std::{fmt, fs::File, io, path::Path, str::FromStr}; +use std::fs::File; +use std::path::Path; +use std::str::FromStr; +use std::{fmt, io}; use bpaf::Bpaf; +use rcgen::DnValue::PrintableString; use rcgen::{ BasicConstraints, Certificate, CertificateParams, CertifiedIssuer, DistinguishedName, DnType, - DnValue::PrintableString, ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, SanType, - SignatureAlgorithm, + ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, SanType, SignatureAlgorithm, }; /// Builder to configure TLS [CertificateParams] to be finalized diff --git a/rustls-cert-gen/src/main.rs b/rustls-cert-gen/src/main.rs index 459c1093..e54c93e2 100644 --- a/rustls-cert-gen/src/main.rs +++ b/rustls-cert-gen/src/main.rs @@ -1,4 +1,6 @@ -use std::{net::IpAddr, path::PathBuf, str::FromStr}; +use std::net::IpAddr; +use std::path::PathBuf; +use std::str::FromStr; use bpaf::Bpaf; use rcgen::{Error, SanType}; diff --git a/verify-tests/src/lib.rs b/verify-tests/src/lib.rs index 4c2cc5db..35cb21c4 100644 --- a/verify-tests/src/lib.rs +++ b/verify-tests/src/lib.rs @@ -1,11 +1,10 @@ -use time::{Duration, OffsetDateTime}; - -use rcgen::{BasicConstraints, Certificate, CertificateParams, Issuer, KeyPair}; use rcgen::{ - CertificateRevocationList, CrlDistributionPoint, CrlIssuingDistributionPoint, CrlScope, + BasicConstraints, Certificate, CertificateParams, CertificateRevocationList, + CertificateRevocationListParams, CrlDistributionPoint, CrlIssuingDistributionPoint, CrlScope, + DnType, IsCa, Issuer, KeyIdMethod, KeyPair, KeyUsagePurpose, RevocationReason, + RevokedCertParams, SerialNumber, }; -use rcgen::{CertificateRevocationListParams, DnType, IsCa, KeyIdMethod}; -use rcgen::{KeyUsagePurpose, RevocationReason, RevokedCertParams, SerialNumber}; +use time::{Duration, OffsetDateTime}; // Generated by adding `println!("{}", cert.serialize_private_key_pem());` // to the test_webpki_25519 test and panicing explicitly. diff --git a/verify-tests/tests/botan.rs b/verify-tests/tests/botan.rs index 29715732..76c48a60 100644 --- a/verify-tests/tests/botan.rs +++ b/verify-tests/tests/botan.rs @@ -1,12 +1,11 @@ #![cfg(feature = "x509-parser")] +use rcgen::{ + BasicConstraints, Certificate, CertificateParams, CertificateRevocationListParams, DnType, + DnValue, IsCa, Issuer, KeyPair, KeyUsagePurpose, RevocationReason, RevokedCertParams, + SerialNumber, +}; use time::{Duration, OffsetDateTime}; - -use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa, Issuer}; -use rcgen::{CertificateRevocationListParams, RevocationReason, RevokedCertParams}; -use rcgen::{DnValue, KeyPair}; -use rcgen::{KeyUsagePurpose, SerialNumber}; - use verify_tests as util; fn default_params() -> (CertificateParams, KeyPair) { diff --git a/verify-tests/tests/generic.rs b/verify-tests/tests/generic.rs index 108d5eaa..3b6f668e 100644 --- a/verify-tests/tests/generic.rs +++ b/verify-tests/tests/generic.rs @@ -105,10 +105,8 @@ mod test_x509_custom_ext { #[cfg(feature = "x509-parser")] mod test_csr_custom_attributes { use rcgen::{Attribute, CertificateParams, KeyPair}; - use x509_parser::{ - der_parser::Oid, - prelude::{FromDer, X509CertificationRequest}, - }; + use x509_parser::der_parser::Oid; + use x509_parser::prelude::{FromDer, X509CertificationRequest}; /// Test serializing a CSR with custom attributes. /// This test case uses `challengePassword` from [RFC 2985], a simple diff --git a/verify-tests/tests/openssl.rs b/verify-tests/tests/openssl.rs index 4286d200..a99cad49 100644 --- a/verify-tests/tests/openssl.rs +++ b/verify-tests/tests/openssl.rs @@ -11,7 +11,6 @@ use openssl::ssl::{HandshakeError, SslAcceptor, SslConnector, SslMethod}; use openssl::stack::Stack; use openssl::x509::store::{X509Store, X509StoreBuilder}; use openssl::x509::{CrlStatus, X509Crl, X509Req, X509StoreContext, X509}; - use rcgen::{ BasicConstraints, Certificate, CertificateParams, DnType, DnValue, GeneralSubtree, IsCa, Issuer, KeyPair, NameConstraints, diff --git a/verify-tests/tests/webpki.rs b/verify-tests/tests/webpki.rs index 89bc7ff5..75ad79c8 100644 --- a/verify-tests/tests/webpki.rs +++ b/verify-tests/tests/webpki.rs @@ -5,27 +5,24 @@ use aws_lc_rs::unstable::signature::{ PqdsaKeyPair, PqdsaSigningAlgorithm, ML_DSA_44_SIGNING, ML_DSA_65_SIGNING, ML_DSA_87_SIGNING, }; use pki_types::{CertificateDer, ServerName, SignatureVerificationAlgorithm, UnixTime}; +use rcgen::{ + BasicConstraints, Certificate, CertificateParams, CertificateRevocationListParams, DnType, + Error, ExtendedKeyUsagePurpose, IsCa, Issuer, KeyPair, KeyUsagePurpose, PublicKeyData, + RevocationReason, RevokedCertParams, SerialNumber, SigningKey, +}; +#[cfg(feature = "x509-parser")] +use rcgen::{CertificateSigningRequestParams, DnValue}; use ring::rand::SystemRandom; use ring::signature::{self, EcdsaKeyPair, EcdsaSigningAlgorithm, Ed25519KeyPair, KeyPair as _}; #[cfg(feature = "pem")] use ring::signature::{RsaEncoding, RsaKeyPair}; use time::{Duration, OffsetDateTime}; +use verify_tests as util; use webpki::{ anchor_from_trusted_cert, BorrowedCertRevocationList, CertRevocationList, EndEntityCert, KeyUsage, RevocationOptionsBuilder, }; -use rcgen::{ - BasicConstraints, Certificate, CertificateParams, DnType, Error, IsCa, Issuer, KeyPair, - PublicKeyData, SigningKey, -}; -use rcgen::{CertificateRevocationListParams, RevocationReason, RevokedCertParams}; -#[cfg(feature = "x509-parser")] -use rcgen::{CertificateSigningRequestParams, DnValue}; -use rcgen::{ExtendedKeyUsagePurpose, KeyUsagePurpose, SerialNumber}; - -use verify_tests as util; - fn sign_msg_ecdsa(key_pair: &KeyPair, msg: &[u8], alg: &'static EcdsaSigningAlgorithm) -> Vec { let pk_der = key_pair.serialize_der(); let key_pair =