This commit implements the Rustls HPKE provider traits using hpke-rs[0]
with the rust-crypto backend.
Since HPKE is not yet used in Rustls (but will be for ECH support),
a unit test based on the RFC 9180 test vectors is added.
Likely in the future we will want to move this test somewhere outside of
the provider-example crate and use it to test a *ring* HPKE
implementation using the same test vector data.
[0]: https://github.com/franziskuskiefer/hpke-rs
Provide shims for limited number of places where ring 0.17 and
aws-lc-rs (ring 0.16-era) APIs have diverged. This is a
short-term fix, as they are likely to diverge more over time.
Eventually we'll have to stop sharing the code like this.
For unit-like tests, export a `test_provider` alias that resolves
to a provider module, for use in these tests.
This resolves to:
- *ring* if cfg(feature = "ring"), else
- aws-lc-rs if cfg(feature = "aws_lc_rs"), else
- is absent
This commit adds a new `connect-tests/tests/ech.rs` module that performs
a DNS over HTTPS lookup for HTTPS type records, finding `EchConfig`s and
testing we can deserialize the raw form into the Rustls representation
without error.
Presently it tests against:
* `crypto.cloudflare.com`
* `defo.ie`
* `tls-ech.dev`
Since these are network based tests they need to live in `connect-tests`
to avoid flakyness during normal CI runs.
In previous WIP branches this was done as part of an overall end-to-end
example of using ECH, but we can test this in isolation ahead of having
full ECH support.
This version of webpki improves CRL ergonomics. Notable changes:
* use `with_status_policy builder` fn
The upstream crate added a more ergonomic interface we can use in
place of having to keep around a mutable builder and doing our own
matching.
* avoid CRL dyn trait hurdles
The upstream crate made working with CRLs easier by replacing the
`CertRevocationList` trait with an `enum` representation.
Notably this makes working with the `Vec<OwnedCertRevocationList>` that
the webpki verifier builders and verifiers hold much easier: we no long
have to do as many contortions to convert to a `&[&dyn
CertRevocationList]`.
The `rcgen` crate has cut a 0.11.2 release that includes the CRL
functionality we were using a Cargo patch to depend on previously. This
commit removes the patch, fixes one breakage in the server acceptor
example, and updates the `Cargo.toml` and `Cargo.lock` files.