Group imports

.github/workflows/ci.yml

@@ -13,8 +13,26 @@ env:
     RUSTFLAGS: -D warnings
 
 jobs:
+    format-unstable:
+        name: Format (unstable)
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout sources
+              uses: actions/checkout@v5
+              with:
+                  persist-credentials: false
+            - name: Install rust nightly toolchain
+              uses: dtolnay/rust-toolchain@master
+              with:
+                  toolchain: nightly
+                  components: rustfmt
+            - name: Check formatting (unstable)
+              run: cargo fmt --all -- --check --config-path .rustfmt.unstable.toml
+            - if: ${{ failure() }}
+              run: echo "Nightly formatting check failed. Please run \`cargo +nightly fmt --config-path .rustfmt.unstable.toml\`"
+
     lint:
-        name: Format & clippy
+        name: Clippy
         runs-on: ubuntu-latest
         continue-on-error: true
         steps:
@@ -25,8 +43,7 @@ jobs:
             - name: Install rust toolchain
               uses: dtolnay/rust-toolchain@stable
               with:
-                  components: clippy, rustfmt
-            - run: cargo fmt -- --check
+                  components: clippy
             # `fips` and `aws_lc_rs_unstable` cannot be used together, so avoid `--all-features`
             - run: cargo clippy --features ring,pem,x509-parser --all-targets
             # rustls-cert-gen require either aws_lc_rs or ring feature

.rustfmt.toml

@@ -1,2 +1,3 @@
+# keep in sync with .rustfmt.unstable.toml
 hard_tabs = true
 match_block_trailing_comma = true

.rustfmt.unstable.toml

@@ -0,0 +1,7 @@
+# keep in sync with .rustfmt.toml
+hard_tabs = true
+match_block_trailing_comma = true
+
+# format imports
+group_imports = "StdExternalCrate"
+imports_granularity = "Module"

rcgen/examples/rsa-irc-openssl.rs

@@ -1,9 +1,10 @@
 #[cfg(unix)]
 fn main() -> Result<(), Box<dyn std::error::Error>> {
-	use rcgen::{date_time_ymd, CertificateParams, DistinguishedName};
 	use std::fmt::Write;
 	use std::fs;
 
+	use rcgen::{date_time_ymd, CertificateParams, DistinguishedName};
+
 	let mut params: CertificateParams = Default::default();
 	params.not_before = date_time_ymd(2021, 5, 19);
 	params.not_after = date_time_ymd(4096, 1, 1);

rcgen/examples/sign-leaf-with-ca.rs

@@ -1,6 +1,7 @@
+use rcgen::DnValue::PrintableString;
 use rcgen::{
-	BasicConstraints, Certificate, CertificateParams, DnType, DnValue::PrintableString,
-	ExtendedKeyUsagePurpose, IsCa, Issuer, KeyPair, KeyUsagePurpose,
+	BasicConstraints, Certificate, CertificateParams, DnType, ExtendedKeyUsagePurpose, IsCa,
+	Issuer, KeyPair, KeyUsagePurpose,
 };
 use time::{Duration, OffsetDateTime};
 

rcgen/examples/simple.rs

@@ -1,6 +1,7 @@
-use rcgen::{date_time_ymd, CertificateParams, DistinguishedName, DnType, KeyPair, SanType};
 use std::fs;
 
+use rcgen::{date_time_ymd, CertificateParams, DistinguishedName, DnType, KeyPair, SanType};
+
 fn main() -> Result<(), Box<dyn std::error::Error>> {
 	let mut params: CertificateParams = Default::default();
 	params.not_before = date_time_ymd(1975, 1, 1);

rcgen/src/crl.rs

@@ -2,8 +2,7 @@
 use pem::Pem;
 use pki_types::CertificateRevocationListDer;
 use time::OffsetDateTime;
-use yasna::DERWriter;
-use yasna::Tag;
+use yasna::{DERWriter, Tag};
 
 use crate::key_pair::sign_der;
 #[cfg(feature = "pem")]

rcgen/src/csr.rs

@@ -203,10 +203,11 @@ impl CertificateSigningRequestParams {
 
 #[cfg(all(test, feature = "x509-parser"))]
 mod tests {
-	use crate::{CertificateParams, ExtendedKeyUsagePurpose, KeyPair, KeyUsagePurpose};
 	use x509_parser::certification_request::X509CertificationRequest;
 	use x509_parser::prelude::{FromDer, ParsedExtension};
 
+	use crate::{CertificateParams, ExtendedKeyUsagePurpose, KeyPair, KeyUsagePurpose};
+
 	#[test]
 	fn dont_write_sans_extension_if_no_sans_are_present() {
 		let mut params = CertificateParams::default();

rcgen/src/key_pair.rs

@@ -1,6 +1,8 @@
 #[cfg(feature = "crypto")]
 use std::fmt;
 
+#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+use aws_lc_rs::unstable::signature::PqdsaKeyPair;
 #[cfg(feature = "pem")]
 use pem::Pem;
 #[cfg(feature = "crypto")]
@@ -22,13 +24,12 @@ use crate::ring_like::{
 	},
 	{ecdsa_from_pkcs8, rsa_key_pair_public_modulus_len},
 };
+use crate::sign_algo::SignatureAlgorithm;
 #[cfg(feature = "crypto")]
 use crate::sign_algo::{algo::*, SignAlgo};
+use crate::Error;
 #[cfg(feature = "pem")]
 use crate::ENCODE_CONFIG;
-use crate::{sign_algo::SignatureAlgorithm, Error};
-#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
-use aws_lc_rs::unstable::signature::PqdsaKeyPair;
 
 /// A key pair variant
 #[allow(clippy::large_enum_variant)]
@@ -679,10 +680,8 @@ impl SubjectPublicKeyInfo {
 	/// Create a `SubjectPublicKey` value from DER-encoded SubjectPublicKeyInfo bytes
 	#[cfg(feature = "x509-parser")]
 	pub fn from_der(spki_der: &[u8]) -> Result<Self, Error> {
-		use x509_parser::{
-			prelude::FromDer,
-			x509::{AlgorithmIdentifier, SubjectPublicKeyInfo},
-		};
+		use x509_parser::prelude::FromDer;
+		use x509_parser::x509::{AlgorithmIdentifier, SubjectPublicKeyInfo};
 
 		let (rem, spki) =
 			SubjectPublicKeyInfo::from_der(spki_der).map_err(|e| Error::X509(e.to_string()))?;
@@ -762,11 +761,8 @@ pub(crate) fn serialize_public_key_der(key: &(impl PublicKeyData + ?Sized), writ
 #[cfg(all(test, feature = "crypto"))]
 mod test {
 	use super::*;
-
-	use crate::ring_like::{
-		rand::SystemRandom,
-		signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING},
-	};
+	use crate::ring_like::rand::SystemRandom;
+	use crate::ring_like::signature::{EcdsaKeyPair, ECDSA_P256_SHA256_FIXED_SIGNING};
 
 	#[cfg(all(feature = "x509-parser", feature = "pem"))]
 	#[test]

rcgen/src/lib.rs

@@ -41,18 +41,6 @@ use std::net::IpAddr;
 use std::net::{Ipv4Addr, Ipv6Addr};
 use std::ops::Deref;
 
-#[cfg(feature = "pem")]
-use pem::Pem;
-use pki_types::CertificateDer;
-use time::{OffsetDateTime, Time};
-use yasna::models::ObjectIdentifier;
-use yasna::models::{GeneralizedTime, UTCTime};
-use yasna::tags::{TAG_BMPSTRING, TAG_TELETEXSTRING, TAG_UNIVERSALSTRING};
-use yasna::DERWriter;
-use yasna::Tag;
-
-use crate::string::{BmpString, Ia5String, PrintableString, TeletexString, UniversalString};
-
 pub use certificate::{
 	date_time_ymd, Attribute, BasicConstraints, Certificate, CertificateParams, CidrSubnet,
 	CustomExtension, DnType, ExtendedKeyUsagePurpose, GeneralSubtree, IsCa, NameConstraints,
@@ -65,14 +53,22 @@ pub use csr::{CertificateSigningRequest, CertificateSigningRequestParams, Public
 pub use error::{Error, InvalidAsn1String};
 #[cfg(feature = "crypto")]
 pub use key_pair::KeyPair;
-pub use key_pair::PublicKeyData;
 #[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
 pub use key_pair::RsaKeySize;
-pub use key_pair::{SigningKey, SubjectPublicKeyInfo};
+pub use key_pair::{PublicKeyData, SigningKey, SubjectPublicKeyInfo};
+#[cfg(feature = "pem")]
+use pem::Pem;
+use pki_types::CertificateDer;
 #[cfg(feature = "crypto")]
 use ring_like::digest;
 pub use sign_algo::algo::*;
 pub use sign_algo::SignatureAlgorithm;
+use time::{OffsetDateTime, Time};
+use yasna::models::{GeneralizedTime, ObjectIdentifier, UTCTime};
+use yasna::tags::{TAG_BMPSTRING, TAG_TELETEXSTRING, TAG_UNIVERSALSTRING};
+use yasna::{DERWriter, Tag};
+
+use crate::string::{BmpString, Ia5String, PrintableString, TeletexString, UniversalString};
 
 mod certificate;
 mod crl;
@@ -987,10 +983,10 @@ mod tests {
 
 	#[cfg(feature = "x509-parser")]
 	mod test_ip_address_from_octets {
-		use super::super::ip_addr_from_octets;
-		use super::super::Error;
 		use std::net::IpAddr;
 
+		use super::super::{ip_addr_from_octets, Error};
+
 		#[test]
 		fn ipv4() {
 			let octets = [10, 20, 30, 40];
@@ -1035,10 +1031,12 @@ mod tests {
 
 	#[cfg(feature = "x509-parser")]
 	mod test_san_type_from_general_name {
-		use crate::SanType;
 		use std::net::IpAddr;
+
 		use x509_parser::extensions::GeneralName;
 
+		use crate::SanType;
+
 		#[test]
 		fn with_ipv4() {
 			let octets = [1, 2, 3, 4];

rcgen/src/sign_algo.rs

@@ -1,17 +1,16 @@
 use std::fmt;
 use std::hash::{Hash, Hasher};
 
+#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
+use aws_lc_rs::unstable::signature::{
+	PqdsaSigningAlgorithm, ML_DSA_44_SIGNING, ML_DSA_65_SIGNING, ML_DSA_87_SIGNING,
+};
 use yasna::models::ObjectIdentifier;
-use yasna::DERWriter;
-use yasna::Tag;
+use yasna::{DERWriter, Tag};
 
 #[cfg(feature = "crypto")]
 use crate::ring_like::signature::{self, EcdsaSigningAlgorithm, EdDSAParameters, RsaEncoding};
 use crate::Error;
-#[cfg(all(feature = "aws_lc_rs_unstable", not(feature = "fips")))]
-use aws_lc_rs::unstable::signature::{
-	PqdsaSigningAlgorithm, ML_DSA_44_SIGNING, ML_DSA_65_SIGNING, ML_DSA_87_SIGNING,
-};
 
 #[cfg(feature = "crypto")]
 #[derive(Clone, Copy, Debug)]
@@ -119,9 +118,8 @@ impl SignatureAlgorithm {
 
 /// The list of supported signature algorithms
 pub(crate) mod algo {
-	use crate::oid::*;
-
 	use super::*;
+	use crate::oid::*;
 
 	/// RSA signing with PKCS#1 1.5 padding and SHA-256 hashing as per [RFC 4055](https://tools.ietf.org/html/rfc4055)
 	pub static PKCS_RSA_SHA256: SignatureAlgorithm = SignatureAlgorithm {

rcgen/src/string.rs

@@ -1,6 +1,7 @@
 //! ASN.1 string types
 
-use std::{fmt, str::FromStr};
+use std::fmt;
+use std::str::FromStr;
 
 use crate::{Error, InvalidAsn1String};
 

rustls-cert-gen/src/cert.rs

@@ -1,10 +1,13 @@
-use std::{fmt, fs::File, io, path::Path, str::FromStr};
+use std::fs::File;
+use std::path::Path;
+use std::str::FromStr;
+use std::{fmt, io};
 
 use bpaf::Bpaf;
+use rcgen::DnValue::PrintableString;
 use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, CertifiedIssuer, DistinguishedName, DnType,
-	DnValue::PrintableString, ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, SanType,
-	SignatureAlgorithm,
+	ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, SanType, SignatureAlgorithm,
 };
 
 /// Builder to configure TLS [CertificateParams] to be finalized

rustls-cert-gen/src/main.rs

@@ -1,4 +1,6 @@
-use std::{net::IpAddr, path::PathBuf, str::FromStr};
+use std::net::IpAddr;
+use std::path::PathBuf;
+use std::str::FromStr;
 
 use bpaf::Bpaf;
 use rcgen::{Error, SanType};

verify-tests/src/lib.rs

@@ -1,11 +1,10 @@
-use time::{Duration, OffsetDateTime};
-
-use rcgen::{BasicConstraints, Certificate, CertificateParams, Issuer, KeyPair};
 use rcgen::{
-	CertificateRevocationList, CrlDistributionPoint, CrlIssuingDistributionPoint, CrlScope,
+	BasicConstraints, Certificate, CertificateParams, CertificateRevocationList,
+	CertificateRevocationListParams, CrlDistributionPoint, CrlIssuingDistributionPoint, CrlScope,
+	DnType, IsCa, Issuer, KeyIdMethod, KeyPair, KeyUsagePurpose, RevocationReason,
+	RevokedCertParams, SerialNumber,
 };
-use rcgen::{CertificateRevocationListParams, DnType, IsCa, KeyIdMethod};
-use rcgen::{KeyUsagePurpose, RevocationReason, RevokedCertParams, SerialNumber};
+use time::{Duration, OffsetDateTime};
 
 // Generated by adding `println!("{}", cert.serialize_private_key_pem());`
 // to the test_webpki_25519 test and panicing explicitly.

verify-tests/tests/botan.rs

@@ -1,12 +1,11 @@
 #![cfg(feature = "x509-parser")]
 
+use rcgen::{
+	BasicConstraints, Certificate, CertificateParams, CertificateRevocationListParams, DnType,
+	DnValue, IsCa, Issuer, KeyPair, KeyUsagePurpose, RevocationReason, RevokedCertParams,
+	SerialNumber,
+};
 use time::{Duration, OffsetDateTime};
-
-use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa, Issuer};
-use rcgen::{CertificateRevocationListParams, RevocationReason, RevokedCertParams};
-use rcgen::{DnValue, KeyPair};
-use rcgen::{KeyUsagePurpose, SerialNumber};
-
 use verify_tests as util;
 
 fn default_params() -> (CertificateParams, KeyPair) {

verify-tests/tests/generic.rs

@@ -105,10 +105,8 @@ mod test_x509_custom_ext {
 #[cfg(feature = "x509-parser")]
 mod test_csr_custom_attributes {
 	use rcgen::{Attribute, CertificateParams, KeyPair};
-	use x509_parser::{
-		der_parser::Oid,
-		prelude::{FromDer, X509CertificationRequest},
-	};
+	use x509_parser::der_parser::Oid;
+	use x509_parser::prelude::{FromDer, X509CertificationRequest};
 
 	/// Test serializing a CSR with custom attributes.
 	/// This test case uses `challengePassword` from [RFC 2985], a simple

verify-tests/tests/openssl.rs

@@ -11,7 +11,6 @@ use openssl::ssl::{HandshakeError, SslAcceptor, SslConnector, SslMethod};
 use openssl::stack::Stack;
 use openssl::x509::store::{X509Store, X509StoreBuilder};
 use openssl::x509::{CrlStatus, X509Crl, X509Req, X509StoreContext, X509};
-
 use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, DnType, DnValue, GeneralSubtree, IsCa,
 	Issuer, KeyPair, NameConstraints,

verify-tests/tests/webpki.rs

@@ -5,27 +5,24 @@ use aws_lc_rs::unstable::signature::{
 	PqdsaKeyPair, PqdsaSigningAlgorithm, ML_DSA_44_SIGNING, ML_DSA_65_SIGNING, ML_DSA_87_SIGNING,
 };
 use pki_types::{CertificateDer, ServerName, SignatureVerificationAlgorithm, UnixTime};
+use rcgen::{
+	BasicConstraints, Certificate, CertificateParams, CertificateRevocationListParams, DnType,
+	Error, ExtendedKeyUsagePurpose, IsCa, Issuer, KeyPair, KeyUsagePurpose, PublicKeyData,
+	RevocationReason, RevokedCertParams, SerialNumber, SigningKey,
+};
+#[cfg(feature = "x509-parser")]
+use rcgen::{CertificateSigningRequestParams, DnValue};
 use ring::rand::SystemRandom;
 use ring::signature::{self, EcdsaKeyPair, EcdsaSigningAlgorithm, Ed25519KeyPair, KeyPair as _};
 #[cfg(feature = "pem")]
 use ring::signature::{RsaEncoding, RsaKeyPair};
 use time::{Duration, OffsetDateTime};
+use verify_tests as util;
 use webpki::{
 	anchor_from_trusted_cert, BorrowedCertRevocationList, CertRevocationList, EndEntityCert,
 	KeyUsage, RevocationOptionsBuilder,
 };
 
-use rcgen::{
-	BasicConstraints, Certificate, CertificateParams, DnType, Error, IsCa, Issuer, KeyPair,
-	PublicKeyData, SigningKey,
-};
-use rcgen::{CertificateRevocationListParams, RevocationReason, RevokedCertParams};
-#[cfg(feature = "x509-parser")]
-use rcgen::{CertificateSigningRequestParams, DnValue};
-use rcgen::{ExtendedKeyUsagePurpose, KeyUsagePurpose, SerialNumber};
-
-use verify_tests as util;
-
 fn sign_msg_ecdsa(key_pair: &KeyPair, msg: &[u8], alg: &'static EcdsaSigningAlgorithm) -> Vec<u8> {
 	let pk_der = key_pair.serialize_der();
 	let key_pair =