feat: support "verify" with FIPS crypto backend

.github/workflows/rust.yml

@@ -5,7 +5,7 @@ on:
   pull_request:
   merge_group:
   schedule:
-    - cron: '0 18 * * *'
+    - cron: "0 18 * * *"
 
 jobs:
   check:
@@ -71,13 +71,29 @@ jobs:
           - --all-features
           - --features=verify
           - --features=verify-aws
+          - --features=verify-aws-fips
           - --features=validate
     steps:
       - uses: actions/checkout@v4
       - name: Install stable toolchain
         uses: dtolnay/rust-toolchain@stable
       - run: cargo test --locked ${{ matrix.features }}
 
+  test_fips:
+    name: verify-aws-fips dependency on FIPS backend only
+    needs: check-all-features
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install stable toolchain
+        uses: dtolnay/rust-toolchain@stable
+      # Ensure the non-FIPS aws-lc-sys crate is not part of the dependency tree.
+      #
+      # "cargo tree" exists 101 when queried for a crate that's not in the tree.
+      - run: "if cargo tree --features=verify-aws-fips -i aws-lc-sys; then false; else [ $? -eq 101 ]; fi"
+      # Ensure the optional FIPS crypto module is depended.
+      - run: "cargo tree --features=verify-aws-fips -i aws-lc-fips-sys"
+
   fmt:
     name: Rustfmt
     runs-on: ubuntu-latest

Cargo.toml

@@ -38,13 +38,14 @@ rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
 default = []
-verify-aws = ["aws-lc-rs"]
+verify-aws = ["aws-lc-rs/aws-lc-sys"] # Non-FIPS backend
+verify-aws-fips = ["aws-lc-rs/fips"]  # FIPS crypto backend
 verify = ["ring"]
 validate = []
 
 [dependencies]
-aws-lc-rs = { version = "1.0", optional = true }
 asn1-rs = { version = "0.8.0-beta.1", features=["bigint", "datetime"] }
+aws-lc-rs = { version = "1.0", optional = true, default-features = false, features = ["alloc"] }
 data-encoding = "2.2.1"
 lazy_static = "1.4"
 nom = "8.0"

src/certificate.rs

@@ -10,7 +10,11 @@ use crate::x509::{
     X509Name, X509Version,
 };
 
-#[cfg(any(feature = "verify", feature = "verify-aws"))]
+#[cfg(any(
+    feature = "verify",
+    feature = "verify-aws",
+    feature = "verify-aws-fips"
+))]
 use crate::verify::verify_signature;
 use asn1_rs::{
     Alias, BerError, BigUint, BitString, DerParser, Error, FromDer, Header, Input,
@@ -100,8 +104,19 @@ impl<'a> X509Certificate<'a> {
     /// It is usually an intermediate authority.
     ///
     /// Not all algorithms are supported, this function is limited to what `ring` supports.
-    #[cfg(any(feature = "verify", feature = "verify-aws"))]
-    #[cfg_attr(docsrs, doc(cfg(any(feature = "verify", feature = "verify-aws"))))]
+    #[cfg(any(
+        feature = "verify",
+        feature = "verify-aws",
+        feature = "verify-aws-fips"
+    ))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(
+            feature = "verify",
+            feature = "verify-aws",
+            feature = "verify-aws-fips"
+        )))
+    )]
     pub fn verify_signature(
         &self,
         public_key: Option<&SubjectPublicKeyInfo>,

src/certification_request.rs

@@ -5,7 +5,11 @@ use crate::x509::{
     parse_signature_value, AlgorithmIdentifier, SubjectPublicKeyInfo, X509Name, X509Version,
 };
 
-#[cfg(any(feature = "verify", feature = "verify-aws"))]
+#[cfg(any(
+    feature = "verify",
+    feature = "verify-aws",
+    feature = "verify-aws-fips"
+))]
 use crate::verify::verify_signature;
 use asn1_rs::{
     BitString, DerParser, FromDer, Header, Input, Oid, OptTaggedImplicit, Sequence, Tag, Tagged,
@@ -83,8 +87,19 @@ impl<'a> X509CertificationRequest<'a> {
     ///
     /// Uses the public key contained in the CSR, which must be the one of the entity
     /// requesting the certification for this verification to succeed.
-    #[cfg(any(feature = "verify", feature = "verify-aws"))]
-    #[cfg_attr(docsrs, doc(cfg(any(feature = "verify", feature = "verify-aws"))))]
+    #[cfg(any(
+        feature = "verify",
+        feature = "verify-aws",
+        feature = "verify-aws-fips"
+    ))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(
+            feature = "verify",
+            feature = "verify-aws",
+            feature = "verify-aws-fips"
+        )))
+    )]
     pub fn verify_signature(&self) -> Result<(), X509Error> {
         let spki = &self.certification_request_info.subject_pki;
         verify_signature(

src/lib.rs

@@ -93,10 +93,10 @@
 //!   to `X509Certificate`.
 //!
 //! ```rust
-//! # #[cfg(any(feature = "verify", feature = "verify-aws"))]
+//! # #[cfg(any(feature = "verify", feature = "verify-aws", feature = "verify-aws-fips"))]
 //! # use x509_parser::certificate::X509Certificate;
 //! /// Cryptographic signature verification: returns true if certificate was signed by issuer
-//! #[cfg(any(feature = "verify", feature = "verify-aws"))]
+//! #[cfg(any(feature = "verify", feature = "verify-aws", feature = "verify-aws-fips"))]
 //! pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
 //!     let issuer_public_key = issuer.public_key();
 //!     cert
@@ -157,8 +157,19 @@ pub mod time;
 #[cfg(feature = "validate")]
 #[cfg_attr(docsrs, doc(cfg(feature = "validate")))]
 pub mod validate;
-#[cfg(any(feature = "verify", feature = "verify-aws"))]
-#[cfg_attr(docsrs, doc(cfg(any(feature = "verify", feature = "verify-aws"))))]
+#[cfg(any(
+    feature = "verify",
+    feature = "verify-aws",
+    feature = "verify-aws-fips"
+))]
+#[cfg_attr(
+    docsrs,
+    doc(cfg(any(
+        feature = "verify",
+        feature = "verify-aws",
+        feature = "verify-aws-fips"
+    )))
+)]
 pub mod verify;
 pub mod visitor;
 pub mod x509;

src/revocation_list.rs

@@ -5,9 +5,17 @@ use crate::x509::{
     format_serial, parse_serial, AlgorithmIdentifier, ReasonCode, X509Name, X509Version,
 };
 
-#[cfg(any(feature = "verify", feature = "verify-aws"))]
+#[cfg(any(
+    feature = "verify",
+    feature = "verify-aws",
+    feature = "verify-aws-fips"
+))]
 use crate::verify::verify_signature;
-#[cfg(any(feature = "verify", feature = "verify-aws"))]
+#[cfg(any(
+    feature = "verify",
+    feature = "verify-aws",
+    feature = "verify-aws-fips"
+))]
 use crate::x509::SubjectPublicKeyInfo;
 use asn1_rs::num_bigint::BigUint;
 use asn1_rs::{BitString, DerParser, FromDer, Header, Input, Sequence, Tag, Tagged};
@@ -137,8 +145,19 @@ impl<'a> CertificateRevocationList<'a> {
     /// `public_key` is the public key of the **signer**.
     ///
     /// Not all algorithms are supported, this function is limited to what `ring` supports.
-    #[cfg(any(feature = "verify", feature = "verify-aws"))]
-    #[cfg_attr(docsrs, doc(cfg(any(feature = "verify", feature = "verify-aws"))))]
+    #[cfg(any(
+        feature = "verify",
+        feature = "verify-aws",
+        feature = "verify-aws-fips"
+    ))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(
+            feature = "verify",
+            feature = "verify-aws",
+            feature = "verify-aws-fips"
+        )))
+    )]
     pub fn verify_signature(&self, public_key: &SubjectPublicKeyInfo) -> Result<(), X509Error> {
         verify_signature(
             public_key,

src/verify.rs

@@ -11,9 +11,12 @@ use oid_registry::{
 // Since the `signature` object is similar in ring and in aws-lc-rs, we just use simple logic
 // to determine which one to use.
 // If both verify and verify-aws features are enabled, aws will be used.
-#[cfg(feature = "verify-aws")]
+#[cfg(any(feature = "verify-aws", feature = "verify-aws-fips"))]
 use aws_lc_rs::signature;
-#[cfg(all(feature = "verify", not(feature = "verify-aws")))]
+#[cfg(all(
+    feature = "verify",
+    not(any(feature = "verify-aws", feature = "verify-aws-fips"))
+))]
 use ring::signature;
 
 /// Verify the cryptographic signature of the raw data (can be a certificate, a CRL or a CSR).

tests/readcrl.rs

@@ -1,6 +1,10 @@
 use x509_parser::prelude::*;
 
-#[cfg(any(feature = "verify", feature = "verify-aws"))]
+#[cfg(any(
+    feature = "verify",
+    feature = "verify-aws",
+    feature = "verify-aws-fips"
+))]
 #[test]
 fn read_crl_verify() {
     const CA_DATA: &[u8] = include_bytes!("../assets/ca_minimalcrl.der");

tests/readcsr.rs

@@ -115,7 +115,11 @@ fn read_csr_with_challenge_password() {
     assert!(found_san);
 }
 
-#[cfg(any(feature = "verify", feature = "verify-aws"))]
+#[cfg(any(
+    feature = "verify",
+    feature = "verify-aws",
+    feature = "verify-aws-fips"
+))]
 #[test]
 fn read_csr_verify() {
     let pem = pem::parse_x509_pem(CSR_DATA).unwrap().1;

tests/verify.rs

@@ -1,4 +1,8 @@
-#![cfg(any(feature = "verify", feature = "verify-aws"))]
+#![cfg(any(
+    feature = "verify",
+    feature = "verify-aws",
+    feature = "verify-aws-fips"
+))]
 
 use x509_parser::parse_x509_certificate;