Prefer aws-lc-rs over ring if both are enabled

rcgen/Cargo.toml

@@ -23,7 +23,7 @@ required-features = ["pem", "x509-parser"]
 
 [[example]]
 name = "simple"
-required-features = ["crypto"]
+required-features = ["crypto", "pem"]
 
 [dependencies]
 aws-lc-rs = { workspace = true, optional = true }
@@ -42,7 +42,6 @@ aws_lc_rs = ["crypto", "dep:aws-lc-rs"]
 ring = ["crypto", "dep:ring"]
 fips = ["aws_lc_rs", "aws-lc-rs?/fips"]
 
-
 [package.metadata.docs.rs]
 features = ["x509-parser"]
 

rcgen/src/key_pair.rs

@@ -8,7 +8,7 @@ use yasna::{DERWriter, DERWriterSeq};
 
 #[cfg(any(feature = "crypto", feature = "pem"))]
 use crate::error::ExternalError;
-#[cfg(all(feature = "crypto", feature = "aws_lc_rs", not(feature = "ring")))]
+#[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
 use crate::ring_like::rsa::KeySize;
 #[cfg(feature = "crypto")]
 use crate::ring_like::{
@@ -109,12 +109,12 @@ impl KeyPair {
 					serialized_der: key_pair_serialized,
 				})
 			},
-			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			#[cfg(feature = "aws_lc_rs")]
 			SignAlgo::Rsa(sign_alg) => Self::generate_rsa_inner(alg, sign_alg, KeySize::Rsa2048),
 			// Ring doesn't have RSA key generation yet:
 			// https://github.com/briansmith/ring/issues/219
 			// https://github.com/briansmith/ring/pull/733
-			#[cfg(any(not(feature = "aws_lc_rs"), feature = "ring"))]
+			#[cfg(all(feature = "ring", not(feature = "aws_lc_rs")))]
 			SignAlgo::Rsa(_sign_alg) => Err(Error::KeyGenerationUnavailable),
 		}
 	}
@@ -123,7 +123,7 @@ impl KeyPair {
 	///
 	/// If passed a signature algorithm that is not RSA, it will return
 	/// [`Error::KeyGenerationUnavailable`].
-	#[cfg(all(feature = "crypto", feature = "aws_lc_rs", not(feature = "ring")))]
+	#[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
 	pub fn generate_rsa_for(
 		alg: &'static SignatureAlgorithm,
 		key_size: RsaKeySize,
@@ -141,7 +141,7 @@ impl KeyPair {
 		}
 	}
 
-	#[cfg(all(feature = "crypto", feature = "aws_lc_rs", not(feature = "ring")))]
+	#[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
 	fn generate_rsa_inner(
 		alg: &'static SignatureAlgorithm,
 		sign_alg: &'static dyn RsaEncoding,
@@ -249,7 +249,7 @@ impl KeyPair {
 			let rsakp = RsaKeyPair::from_pkcs8(&serialized_der)._err()?;
 			KeyPairKind::Rsa(rsakp, &signature::RSA_PSS_SHA256)
 		} else {
-			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			#[cfg(feature = "aws_lc_rs")]
 			if alg == &PKCS_ECDSA_P521_SHA512 {
 				KeyPairKind::Ec(ecdsa_from_pkcs8(
 					&signature::ECDSA_P521_SHA512_ASN1_SIGNING,
@@ -260,7 +260,7 @@ impl KeyPair {
 				panic!("Unknown SignatureAlgorithm specified!");
 			}
 
-			#[cfg(feature = "ring")]
+			#[cfg(all(feature = "ring", not(feature = "aws_lc_rs")))]
 			panic!("Unknown SignatureAlgorithm specified!");
 		};
 
@@ -302,7 +302,7 @@ impl KeyPair {
 				&PKCS_RSA_SHA256,
 			)
 		} else {
-			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			#[cfg(feature = "aws_lc_rs")]
 			if let Ok(eckp) =
 				ecdsa_from_pkcs8(&signature::ECDSA_P521_SHA512_ASN1_SIGNING, pkcs8, &rng)
 			{
@@ -311,7 +311,7 @@ impl KeyPair {
 				return Err(Error::CouldNotParseKeyPair);
 			}
 
-			#[cfg(feature = "ring")]
+			#[cfg(all(feature = "ring", not(feature = "aws_lc_rs")))]
 			{
 				return Err(Error::CouldNotParseKeyPair);
 			}
@@ -497,7 +497,7 @@ impl TryFrom<&PrivatePkcs8KeyDer<'_>> for KeyPair {
 }
 
 /// The key size used for RSA key generation
-#[cfg(all(feature = "crypto", feature = "aws_lc_rs", not(feature = "ring")))]
+#[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
 #[derive(Debug, Copy, Clone, PartialEq, Eq, Hash)]
 #[non_exhaustive]
 pub enum RsaKeySize {

rcgen/src/lib.rs

@@ -59,7 +59,7 @@ pub use crl::{
 pub use csr::{CertificateSigningRequestParams, PublicKey};
 pub use error::{Error, InvalidAsn1String};
 use key_pair::PublicKeyData;
-#[cfg(all(feature = "crypto", feature = "aws_lc_rs", not(feature = "ring")))]
+#[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
 pub use key_pair::RsaKeySize;
 pub use key_pair::{KeyPair, RemoteKeyPair};
 #[cfg(feature = "crypto")]

rcgen/src/oid.rs

@@ -22,7 +22,7 @@ pub(crate) const EC_SECP_256_R1: &[u64] = &[1, 2, 840, 10045, 3, 1, 7];
 pub(crate) const EC_SECP_384_R1: &[u64] = &[1, 3, 132, 0, 34];
 /// secp521r1 in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#appendix-A)
 /// Currently this is only supported with the `aws_lc_rs` feature
-#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+#[cfg(feature = "aws_lc_rs")]
 pub(crate) const EC_SECP_521_R1: &[u64] = &[1, 3, 132, 0, 35];
 
 /// rsaEncryption in [RFC 4055](https://www.rfc-editor.org/rfc/rfc4055#section-6)

rcgen/src/ring_like.rs

@@ -1,6 +1,6 @@
-#[cfg(all(feature = "crypto", not(feature = "ring"), feature = "aws_lc_rs"))]
+#[cfg(all(feature = "crypto", feature = "aws_lc_rs"))]
 pub(crate) use aws_lc_rs::*;
-#[cfg(all(feature = "crypto", feature = "ring"))]
+#[cfg(all(feature = "crypto", feature = "ring", not(feature = "aws_lc_rs")))]
 pub(crate) use ring::*;
 
 #[cfg(feature = "crypto")]
@@ -14,25 +14,25 @@ pub(crate) fn ecdsa_from_pkcs8(
 	pkcs8: &[u8],
 	_rng: &dyn rand::SecureRandom,
 ) -> Result<signature::EcdsaKeyPair, Error> {
-	#[cfg(feature = "ring")]
+	#[cfg(all(feature = "ring", not(feature = "aws_lc_rs")))]
 	{
 		signature::EcdsaKeyPair::from_pkcs8(alg, pkcs8, _rng)._err()
 	}
 
-	#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+	#[cfg(feature = "aws_lc_rs")]
 	{
 		Ok(signature::EcdsaKeyPair::from_pkcs8(alg, pkcs8)._err()?)
 	}
 }
 
 #[cfg(feature = "crypto")]
 pub(crate) fn rsa_key_pair_public_modulus_len(kp: &signature::RsaKeyPair) -> usize {
-	#[cfg(feature = "ring")]
+	#[cfg(all(feature = "ring", not(feature = "aws_lc_rs")))]
 	{
 		kp.public().modulus_len()
 	}
 
-	#[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
+	#[cfg(feature = "aws_lc_rs")]
 	{
 		kp.public_modulus_len()
 	}

rcgen/src/sign_algo.rs

@@ -56,7 +56,7 @@ impl fmt::Debug for SignatureAlgorithm {
 		} else if self == &PKCS_ED25519 {
 			write!(f, "PKCS_ED25519")
 		} else {
-			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			#[cfg(feature = "aws_lc_rs")]
 			if self == &PKCS_ECDSA_P521_SHA512 {
 				return write!(f, "PKCS_ECDSA_P521_SHA512");
 			}
@@ -91,7 +91,7 @@ impl SignatureAlgorithm {
 			//&PKCS_RSA_PSS_SHA256,
 			&PKCS_ECDSA_P256_SHA256,
 			&PKCS_ECDSA_P384_SHA384,
-			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			#[cfg(feature = "aws_lc_rs")]
 			&PKCS_ECDSA_P521_SHA512,
 			&PKCS_ED25519,
 		];
@@ -187,7 +187,7 @@ pub(crate) mod algo {
 	};
 	/// ECDSA signing using the P-521 curves and SHA-512 hashing as per [RFC 5758](https://tools.ietf.org/html/rfc5758#section-3.2)
 	/// Currently this is only supported with the `aws_lc_rs` feature
-	#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+	#[cfg(feature = "aws_lc_rs")]
 	pub static PKCS_ECDSA_P521_SHA512: SignatureAlgorithm = SignatureAlgorithm {
 		oids_sign_alg: &[&EC_PUBLIC_KEY, &EC_SECP_521_R1],
 		#[cfg(feature = "crypto")]

rcgen/tests/botan.rs

@@ -76,7 +76,7 @@ fn test_botan_384() {
 }
 
 #[test]
-#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+#[cfg(feature = "aws_lc_rs")]
 fn test_botan_521() {
 	let (params, _) = default_params();
 	let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P521_SHA512).unwrap();

rcgen/tests/generic.rs

@@ -19,7 +19,7 @@ mod test_key_params_mismatch {
 			&rcgen::PKCS_RSA_SHA256,
 			&rcgen::PKCS_ECDSA_P256_SHA256,
 			&rcgen::PKCS_ECDSA_P384_SHA384,
-			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			#[cfg(feature = "aws_lc_rs")]
 			&rcgen::PKCS_ECDSA_P521_SHA512,
 			&rcgen::PKCS_ED25519,
 		];

rcgen/tests/openssl.rs

@@ -214,7 +214,7 @@ fn test_openssl_384() {
 }
 
 #[test]
-#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+#[cfg(feature = "aws_lc_rs")]
 fn test_openssl_521() {
 	let (params, _) = util::default_params();
 	let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P521_SHA512).unwrap();

rustls-cert-gen/src/cert.rs

@@ -6,9 +6,9 @@ use rcgen::{
 	DnValue::PrintableString, ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, SanType,
 };
 
-#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+#[cfg(feature = "aws_lc_rs")]
 use aws_lc_rs as ring_like;
-#[cfg(feature = "ring")]
+#[cfg(all(feature = "ring", not(feature = "aws_lc_rs")))]
 use ring as ring_like;
 
 #[derive(Debug, Clone)]
@@ -218,7 +218,7 @@ pub enum KeyPairAlgorithm {
 	#[default]
 	EcdsaP256,
 	EcdsaP384,
-	#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+	#[cfg(feature = "aws_lc_rs")]
 	EcdsaP521,
 }
 
@@ -229,7 +229,7 @@ impl fmt::Display for KeyPairAlgorithm {
 			KeyPairAlgorithm::Ed25519 => write!(f, "ed25519"),
 			KeyPairAlgorithm::EcdsaP256 => write!(f, "ecdsa-p256"),
 			KeyPairAlgorithm::EcdsaP384 => write!(f, "ecdsa-p384"),
-			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			#[cfg(feature = "aws_lc_rs")]
 			KeyPairAlgorithm::EcdsaP521 => write!(f, "ecdsa-p521"),
 		}
 	}
@@ -273,7 +273,7 @@ impl KeyPairAlgorithm {
 
 				rcgen::KeyPair::from_pkcs8_der_and_sign_algo(&pkcs8_bytes.as_ref().into(), alg)
 			},
-			#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+			#[cfg(feature = "aws_lc_rs")]
 			KeyPairAlgorithm::EcdsaP521 => {
 				use ring_like::signature::EcdsaKeyPair;
 				use ring_like::signature::ECDSA_P521_SHA512_ASN1_SIGNING;
@@ -368,7 +368,7 @@ mod tests {
 	}
 
 	#[test]
-	#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+	#[cfg(feature = "aws_lc_rs")]
 	fn serialize_end_entity_ecdsa_p521_sha512_sig() -> anyhow::Result<()> {
 		let ca = CertificateBuilder::new().certificate_authority().build()?;
 		let end_entity = CertificateBuilder::new()
@@ -488,7 +488,7 @@ mod tests {
 			"PKCS_ECDSA_P384_SHA384"
 		);
 
-		#[cfg(all(feature = "aws_lc_rs", not(feature = "ring")))]
+		#[cfg(feature = "aws_lc_rs")]
 		{
 			let keypair = KeyPairAlgorithm::EcdsaP521.to_key_pair()?;
 			assert_eq!(