postgres_rustls

Rustls-based library for postgres.
git clone https://git.philomathiclife.com/repos/postgres_rustls
Log | Files | Refs | README

lib.rs (88951B)


      1 //! [![git]](https://git.philomathiclife.com/postgres_rustls/log.html) [![crates-io]](https://crates.io/crates/postgres_rustls) [![docs-rs]](crate)
      2 //!
      3 //! [git]: https://git.philomathiclife.com/git_badge.svg
      4 //! [crates-io]: https://img.shields.io/badge/crates.io-fc8d62?style=for-the-badge&labelColor=555555&logo=rust
      5 //! [docs-rs]: https://img.shields.io/badge/docs.rs-66c2a5?style=for-the-badge&labelColor=555555&logo=docs.rs
      6 //!
      7 //! `postgres_rustls` is a library that adds TLS support to [`tokio_postgres`] using [`tokio_rustls`].
      8 #![cfg_attr(docsrs, feature(doc_cfg))]
      9 #![deny(
     10     unknown_lints,
     11     future_incompatible,
     12     let_underscore,
     13     missing_docs,
     14     nonstandard_style,
     15     refining_impl_trait,
     16     rust_2018_compatibility,
     17     rust_2018_idioms,
     18     rust_2021_compatibility,
     19     rust_2024_compatibility,
     20     unsafe_code,
     21     unused,
     22     warnings,
     23     clippy::all,
     24     clippy::cargo,
     25     clippy::complexity,
     26     clippy::correctness,
     27     clippy::nursery,
     28     clippy::pedantic,
     29     clippy::perf,
     30     clippy::restriction,
     31     clippy::style,
     32     clippy::suspicious
     33 )]
     34 #![expect(
     35     clippy::arbitrary_source_item_ordering,
     36     clippy::blanket_clippy_restriction_lints,
     37     clippy::implicit_return,
     38     clippy::missing_trait_methods,
     39     clippy::multiple_crate_versions,
     40     clippy::return_and_then,
     41     clippy::single_call_fn,
     42     reason = "noisy, opinionated, and likely doesn't prevent bugs or improve APIs"
     43 )]
     44 use core::{
     45     future::Future,
     46     pin::Pin,
     47     task::{Context, Poll},
     48 };
     49 use sha2::{
     50     Sha224, Sha256, Sha384, Sha512,
     51     digest::{Digest as _, OutputSizeUser, generic_array::GenericArray},
     52 };
     53 use std::io::{self, IoSlice};
     54 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
     55 #[cfg(feature = "runtime")]
     56 use tokio_postgres::tls::MakeTlsConnect;
     57 use tokio_postgres::tls::{ChannelBinding, TlsConnect as PgTlsConnect, TlsStream as PgTlsStream};
     58 use tokio_rustls::{
     59     self, Connect,
     60     client::TlsStream as RustlsStream,
     61     rustls::{
     62         ClientConfig,
     63         pki_types::{InvalidDnsNameError, ServerName},
     64     },
     65 };
     66 /// Hash for the leaf certificate provided by the PostgreSQL server.
     67 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
     68 enum Hash {
     69     /// SHA-256 hash.
     70     Sha256(GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>),
     71     /// SHA-384 hash.
     72     Sha384(GenericArray<u8, <Sha384 as OutputSizeUser>::OutputSize>),
     73     /// SHA-512 hash.
     74     Sha512(GenericArray<u8, <Sha512 as OutputSizeUser>::OutputSize>),
     75     /// SHA-224 hash.
     76     Sha224(GenericArray<u8, <Sha224 as OutputSizeUser>::OutputSize>),
     77 }
     78 impl From<Hash> for Vec<u8> {
     79     #[inline]
     80     fn from(value: Hash) -> Self {
     81         match value {
     82             Hash::Sha256(hash) => hash.to_vec(),
     83             Hash::Sha384(hash) => hash.to_vec(),
     84             Hash::Sha512(hash) => hash.to_vec(),
     85             Hash::Sha224(hash) => hash.to_vec(),
     86         }
     87     }
     88 }
     89 impl Hash {
     90     /// Parses `cert` as a DER-encoded X.509 v3 certifcate extracting the signature algorithm and using it to hash
     91     /// `cert` (based on the underlying hash algorithm of the signature algorithm).
     92     ///
     93     /// Note this will return `Some` for certain invalid payloads; however when the payload is a valid
     94     /// DER-encoded X.509 v3 certificate, then it is guaranteed to produce the correct hash. The idea is that
     95     /// in the event the leaf certificate is invalid, then it will be rejected by `rustls` anyway thus what
     96     /// this returns won't matter. We do this for simplicity and performance reasons since it allows us to
     97     /// avoid parsing the entire certificate and instead _only_ care about the signature algorithm.
     98     ///
     99     /// The only signature algorithms supported are the following:
    100     ///
    101     /// * id-Ed25519
    102     /// * ecdsa-with-SHA256
    103     /// * sha256WithRSAEncryption
    104     /// * ecdsa-with-SHA384
    105     /// * sha384WithRSAEncryption
    106     /// * ecdsa-with-SHA512
    107     /// * sha512WithRSAEncryption
    108     /// * ecdsa-with-SHA224
    109     /// * sha224WithRSAEncryption
    110     /// * dsa-with-SHA256
    111     /// * dsa-with-SHA224
    112     /// * dsa-with-SHA1
    113     /// * sha1WithRSAEncryption
    114     ///
    115     /// More may be added; but for ones that require additional dependencies, they will be hidden behind a feature.
    116     /// Additionally new ones must be supported by PostgreSQL, `tokio-postgres`, and `rustls`. For example,
    117     /// PostgreSQL does not support Ed25519 certificates; however we add support for this since it does not require
    118     /// additional dependencies.
    119     //
    120     // [RFC 5280 § 4.1](https://www.rfc-editor.org/rfc/rfc5280#section-4.1) describes the ASN.1 format
    121     // of an X.509 v3 Certificate:
    122     //
    123     // ```asn
    124     // Certificate  ::=  SEQUENCE  {
    125     //   tbsCertificate       TBSCertificate,
    126     //   signatureAlgorithm   AlgorithmIdentifier,
    127     //   signatureValue       BIT STRING  }
    128     //
    129     // TBSCertificate  ::=  SEQUENCE  { … }
    130     //
    131     // AlgorithmIdentifier  ::=  SEQUENCE  {
    132     //   algorithm               OBJECT IDENTIFIER,
    133     //   parameters              ANY DEFINED BY algorithm OPTIONAL  }
    134     // ```
    135     //
    136     // [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690-202102-I/en)
    137     // describes how DER-encoding works.
    138     #[expect(
    139         clippy::arithmetic_side_effects,
    140         clippy::big_endian_bytes,
    141         clippy::indexing_slicing,
    142         reason = "comments justify their correctness"
    143     )]
    144     #[expect(clippy::too_many_lines, reason = "inflated by the const slices")]
    145     #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    146     fn from_der_cert(cert: &[u8]) -> Option<Self> {
    147         /// [RFC 8410 § 9](https://www.rfc-editor.org/rfc/rfc8410#section-9)
    148         /// defines id-Ed25519 as 1.3.101.112. This is encoded as below per X.690 § 8.19.
    149         const ED25519: &[u8] = [43, 101, 112].as_slice();
    150         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    151         /// defines ecdsa-with-SHA256 as 1.2.840.10045.4.3.2. This is encoded as
    152         /// below per X.690 § 8.19.
    153         const ECDSA_SHA256: &[u8] = [42, 134, 72, 206, 61, 4, 3, 2].as_slice();
    154         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    155         /// defines sha256WithRSAEncryption as 1.2.840.113549.1.1.11. This is encoded as
    156         /// below per X.690 § 8.19.
    157         const RSA_SHA256: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 11].as_slice();
    158         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    159         /// defines dsa-with-SHA256 as 2.16.840.1.101.3.4.3.2. This is encoded as
    160         /// below per X.690 § 8.19.
    161         const DSA_SHA256: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 2].as_slice();
    162         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    163         /// defines dsa-with-SHA1 as 1.2.840.10040.4.3. This is encoded as
    164         /// below per X.690 § 8.19.
    165         const DSA_SHA1: &[u8] = [42, 134, 72, 206, 56, 4, 3].as_slice();
    166         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    167         /// defines sha1WithRSAEncryption as 1.2.840.113549.1.1.5. This is encoded as
    168         /// below per X.690 § 8.19.
    169         const RSA_SHA1: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 5].as_slice();
    170         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    171         /// defines ecdsa-with-SHA384 as 1.2.840.10045.4.3.3. This is encoded as
    172         /// below per X.690 § 8.19.
    173         const ECDSA_SHA384: &[u8] = [42, 134, 72, 206, 61, 4, 3, 3].as_slice();
    174         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    175         /// defines sha384WithRSAEncryption as 1.2.840.113549.1.1.12. This is encoded as
    176         /// below per X.690 § 8.19.
    177         const RSA_SHA384: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 12].as_slice();
    178         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    179         /// defines ecdsa-with-SHA512 as 1.2.840.10045.4.3.4. This is encoded as
    180         /// below per X.690 § 8.19.
    181         const ECDSA_SHA512: &[u8] = [42, 134, 72, 206, 61, 4, 3, 4].as_slice();
    182         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    183         /// defines sha512WithRSAEncryption as 1.2.840.113549.1.1.13. This is encoded as
    184         /// below per X.690 § 8.19.
    185         const RSA_SHA512: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 13].as_slice();
    186         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    187         /// defines ecdsa-with-SHA224 as 1.2.840.10045.4.3.1. This is encoded as
    188         /// below per X.690 § 8.19.
    189         const ECDSA_SHA224: &[u8] = [42, 134, 72, 206, 61, 4, 3, 1].as_slice();
    190         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    191         /// defines sha224WithRSAEncryption as 1.2.840.113549.1.1.14. This is encoded as
    192         /// below per X.690 § 8.19.
    193         const RSA_SHA224: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 14].as_slice();
    194         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    195         /// defines dsa-with-SHA224 as 2.16.840.1.101.3.4.3.1. This is encoded as
    196         /// below per X.690 § 8.19.
    197         const DSA_SHA224: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 1].as_slice();
    198         // The first octet represents a constructed sequence (i.e., 0x30) and the second octet represents
    199         // the (possibly encoded) length of the remaining payload.
    200         cert.split_at_checked(2).and_then(|(cert_seq, cert_rem)| {
    201             // This won't `panic` since `cert_seq.len() == 2`.
    202             // This represents the (possibly encoded) length.
    203             //
    204             // We don't care about the actual length of the payload. We only care about the number of bytes
    205             // we need to skip until the (possibly encoded) length of the constructed sequence of
    206             // tbsCertificate.
    207             match cert_seq[1] {
    208                 // The length of the payload is represented with this byte; thus we only need to skip
    209                 // the constructed sequence byte (i.e., 0x30) of tbsCertificate.
    210                 ..=127 => Some(1),
    211                 // The length of the payload is invalid since DER-encoded lengths must use the minimum
    212                 // number of bytes possible. The high bit is set iff one or more octets are needed to encode
    213                 // the actual length. The number of octets is represented by the remaining bits; thus this
    214                 // means there are 0 bytes to encode the length, but then it should have been encoded as
    215                 // `0` and not `128`.
    216                 //
    217                 // 255 is not allowed to be used per § 8.1.3.5.
    218                 128 | 255 => None,
    219                 // The remaining bits represent the number of bytes that it takes to encode the length;
    220                 // thus we subtract 128 and add 1 to account for the constructed sequence byte (i.e., 0x30)
    221                 // of tbsCertificate. This is the same as just subtracting 127.
    222                 //
    223                 // Underflow clearly cannot occur since `len` is at least 129.
    224                 len @ 129.. => Some(usize::from(len) - 127),
    225             }
    226             .and_then(|skip| {
    227                 cert_rem.get(skip..).and_then(|tbs_rem_with_len| {
    228                     // Remaining payload starting from the (possibly encoded) length of tbsCertificate.
    229                     tbs_rem_with_len
    230                         // Extract the (possibly encoded) length of tbsCertificate.
    231                         .split_first()
    232                         .and_then(|(tbs_enc_len, tbs_rem)| {
    233                             // We need to extract how many bytes make up tbsCertificate that way
    234                             // we can skip it and get to the (possibly encoded) length of
    235                             // signatureAlgorithm.
    236                             match *tbs_enc_len {
    237                                 // tbsCertificate is encoded in `len` bytes. We need to skip that many
    238                                 // bytes taking into account the constructed sequence byte (i.e., 0x30)
    239                                 // of signatureAlgorithm.
    240                                 //
    241                                 // This won't overflow since `len` is at most 127; thus this maxes at 128
    242                                 // which is <= `usize::MAX`.
    243                                 len @ ..=127 => Some(usize::from(len) + 1),
    244                                 // The number of bytes tbsCertificate is encoded in takes 1 byte to encode
    245                                 // We get that one byte since that is how many bytes we need to skip taking
    246                                 // into account the byte and the constructed sequence byte (i.e., 0x30) of
    247                                 // signatureAlgorithm.
    248                                 //
    249                                 // This won't overflow since this maxes at 255 + 2 = 257 <= usize::MAX.
    250                                 129 => tbs_rem.first().map(|len| usize::from(*len) + 2),
    251                                 // The number of bytes tbsCertificate is encoded in takes 2 bytes to encode.
    252                                 // We get the two bytes since that is how many bytes we need to skip.
    253                                 130 => tbs_rem.get(..2).and_then(|enc_len| {
    254                                     let mut big_endian_len = [0; 2];
    255                                     // This won't `panic` since `enc_len.len() == 2`.
    256                                     big_endian_len.copy_from_slice(enc_len);
    257                                     // Multi-byte lengths are encoded in big-endian.
    258                                     u16::from_be_bytes(big_endian_len)
    259                                         // We need to account for the two bytes and the constructed sequence byte
    260                                         // (i.e., 0x30) of signatureAlgorithm.
    261                                         .checked_add(3)
    262                                         // We don't support payloads larger than 65,535 since that is more than
    263                                         // enough for a single certificate.
    264                                         .map(usize::from)
    265                                 }),
    266                                 // We arbitrarily cap the size of payloads we accept to simplify decoding.
    267                                 // If this is more than 130, then the payload is at least 16,777,216 bytes
    268                                 // which is obscenely large for a single certificate. 128 is invalid.
    269                                 _ => None,
    270                             }
    271                             .and_then(|tbs_len| {
    272                                 tbs_rem.get(tbs_len..).and_then(|alg_rem_with_len| {
    273                                     // Remaining payload starting from the (possibly encoded) length of
    274                                     // signatureAlgorithm.
    275                                     alg_rem_with_len
    276                                         // Extract the (possibly encoded) length of signatureAlgorithm.
    277                                         .split_first()
    278                                         .and_then(|(alg_enc_len, alg_rem)| {
    279                                             // We need to extract how many bytes make up signatureAlgorithm that way
    280                                             // we can skip it and get to the (possibly encoded) length of algorithm.
    281                                             match *alg_enc_len {
    282                                                 // The length of the payload is represented with this byte; thus we
    283                                                 // only need to skip the object identifier byte (i.e., 0x06) of
    284                                                 // algorithm.
    285                                                 ..=127 => Some(1),
    286                                                 // The length of the payload is invalid.
    287                                                 128 | 255 => None,
    288                                                 // The remaining bits represents the number of bytes that it takes to
    289                                                 // encode the length; thus we subtract 128 and add 1 to account for
    290                                                 // the object identifier byte (i.e., 0x06) of algorithm.
    291                                                 // This is the same as just subtracting 127.
    292                                                 //
    293                                                 // Underflow clearly cannot occur since `len` is at least 129.
    294                                                 len @ 129.. => Some(usize::from(len) - 127),
    295                                             }
    296                                             .and_then(
    297                                                 |alg_skip| {
    298                                                     alg_rem.get(alg_skip..).and_then(|oid_rem| {
    299                                                         // Remaining payload starting from the (possibly encoded)
    300                                                         // length of algorithm, and we extract the
    301                                                         // (possibly encoded) length of algorithm.
    302                                                         oid_rem.split_first().and_then(
    303                                                             |(oid_enc_len, rem)| {
    304                                                                 // Extract the algorithm.
    305                                                                 // Recall we don't care if the certificate is
    306                                                                 // invalid, and we only support algorithms of
    307                                                                 // length at most 127. As a result, we treat
    308                                                                 // `oid_enc_len` as is.
    309                                                                 rem.get(..usize::from(*oid_enc_len))
    310                                                                     .and_then(|oid| match oid {
    311                                                                         ED25519 | ECDSA_SHA256
    312                                                                         | RSA_SHA256 | DSA_SHA256
    313                                                                         // [RFC 5929 § 4.1](https://www.rfc-editor.org/rfc/rfc5929#section-4.1)
    314                                                                         // mandates that SHA-1 based signatures
    315                                                                         // use SHA-256.
    316                                                                         | DSA_SHA1 | RSA_SHA1 => {
    317                                                                             Some(Self::Sha256(
    318                                                                                 Sha256::digest(
    319                                                                                     cert,
    320                                                                                 ),
    321                                                                             ))
    322                                                                         }
    323                                                                         ECDSA_SHA384
    324                                                                         | RSA_SHA384 => {
    325                                                                             Some(Self::Sha384(
    326                                                                                 Sha384::digest(
    327                                                                                     cert,
    328                                                                                 ),
    329                                                                             ))
    330                                                                         }
    331                                                                         ECDSA_SHA512
    332                                                                         | RSA_SHA512 => {
    333                                                                             Some(Self::Sha512(
    334                                                                                 Sha512::digest(
    335                                                                                     cert,
    336                                                                                 ),
    337                                                                             ))
    338                                                                         }
    339                                                                         ECDSA_SHA224
    340                                                                         | RSA_SHA224
    341                                                                         | DSA_SHA224 => {
    342                                                                             Some(Self::Sha224(
    343                                                                                 Sha224::digest(
    344                                                                                     cert,
    345                                                                                 ),
    346                                                                             ))
    347                                                                         }
    348                                                                         _ => None,
    349                                                                     })
    350                                                             },
    351                                                         )
    352                                                     })
    353                                                 },
    354                                             )
    355                                         })
    356                                 })
    357                             })
    358                         })
    359                 })
    360             })
    361         })
    362     }
    363 }
    364 /// The [`TlsConnector::Stream`] returned from [`TlsConnectorFuture::poll`].
    365 pub struct TlsStream<S>(RustlsStream<S>);
    366 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncRead for TlsStream<S> {
    367     #[inline]
    368     fn poll_read(
    369         mut self: Pin<&mut Self>,
    370         cx: &mut Context<'_>,
    371         buf: &mut ReadBuf<'_>,
    372     ) -> Poll<io::Result<()>> {
    373         Pin::new(&mut self.0).poll_read(cx, buf)
    374     }
    375 }
    376 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncWrite for TlsStream<S> {
    377     #[inline]
    378     fn poll_write(
    379         mut self: Pin<&mut Self>,
    380         cx: &mut Context<'_>,
    381         buf: &[u8],
    382     ) -> Poll<Result<usize, io::Error>> {
    383         Pin::new(&mut self.0).poll_write(cx, buf)
    384     }
    385     #[inline]
    386     fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), io::Error>> {
    387         Pin::new(&mut self.0).poll_flush(cx)
    388     }
    389     #[inline]
    390     fn poll_shutdown(
    391         mut self: Pin<&mut Self>,
    392         cx: &mut Context<'_>,
    393     ) -> Poll<Result<(), io::Error>> {
    394         Pin::new(&mut self.0).poll_shutdown(cx)
    395     }
    396     #[inline]
    397     fn poll_write_vectored(
    398         mut self: Pin<&mut Self>,
    399         cx: &mut Context<'_>,
    400         bufs: &[IoSlice<'_>],
    401     ) -> Poll<Result<usize, io::Error>> {
    402         Pin::new(&mut self.0).poll_write_vectored(cx, bufs)
    403     }
    404     #[inline]
    405     fn is_write_vectored(&self) -> bool {
    406         self.0.is_write_vectored()
    407     }
    408 }
    409 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsStream for TlsStream<S> {
    410     /// Returns the [`ChannelBinding`] based on the X.509 v3 certificate sent from the PostgreSQL server.
    411     ///
    412     /// Note when this returns [`ChannelBinding::tls_server_end_point`], it _does not_ mean the certificate
    413     /// is valid. In certain circumstances, this will return that even for an invalid certificate. This should
    414     /// not matter since the certificate being invalid will cause the certificate to be rejected anyway. When
    415     /// the certificate is valid and uses a supported signature algorithm, then this will always return the
    416     /// correct value.
    417     ///
    418     /// The only supported signature algorithms are the following:
    419     ///
    420     /// * id-Ed25519
    421     /// * ecdsa-with-SHA256
    422     /// * sha256WithRSAEncryption
    423     /// * ecdsa-with-SHA384
    424     /// * sha384WithRSAEncryption
    425     /// * ecdsa-with-SHA512
    426     /// * sha512WithRSAEncryption
    427     /// * ecdsa-with-SHA224
    428     /// * sha224WithRSAEncryption
    429     /// * dsa-with-SHA256
    430     /// * dsa-with-SHA224
    431     /// * dsa-with-SHA1
    432     /// * sha1WithRSAEncryption
    433     ///
    434     /// Note it is strongly recommended that TLS 1.3 be used; thus while signature algorithms that are not
    435     /// part of TLS 1.3 are supported, you should avoid them.
    436     /// See [RFC 9266 § 4.2](https://www.rfc-editor.org/rfc/rfc9266#section-4.2).
    437     /// Additionally some of the supported signature algorithms may not be supported by PostgreSQL
    438     /// (e.g., id-Ed25519).
    439     #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    440     #[inline]
    441     fn channel_binding(&self) -> ChannelBinding {
    442         self.0
    443             .get_ref()
    444             .1
    445             .peer_certificates()
    446             .and_then(|certs| {
    447                 certs.first().and_then(|fst| {
    448                     Hash::from_der_cert(fst)
    449                         .map(|hash| ChannelBinding::tls_server_end_point(hash.into()))
    450                 })
    451             })
    452             .unwrap_or_else(ChannelBinding::none)
    453     }
    454 }
    455 /// [`TlsConnector::Future`] returned from [`TlsConnector::connect`].
    456 pub struct TlsConnectorFuture<S>(Connect<S>);
    457 impl<S: AsyncRead + AsyncWrite + Unpin> Future for TlsConnectorFuture<S> {
    458     type Output = io::Result<TlsStream<S>>;
    459     #[inline]
    460     fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
    461         Pin::new(&mut self.0).poll(cx).map_ok(TlsStream)
    462     }
    463 }
    464 /// Connects to the PostgreSQL server.
    465 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    466 pub struct TlsConnector<'domain> {
    467     /// Used to connect to the PostgreSQL server.
    468     #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    469     connector: tokio_rustls::TlsConnector,
    470     /// The domain or IP of the PostgreSQL server.
    471     #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    472     dom: ServerName<'domain>,
    473 }
    474 impl<'domain> TlsConnector<'domain> {
    475     /// Returns `Self` based on `connector` and `domain`.
    476     ///
    477     /// # Errors
    478     ///
    479     /// Errors iff [`ServerName::try_from`] does when passed `domain`.
    480     #[inline]
    481     pub fn new<'dom: 'domain>(
    482         connector: tokio_rustls::TlsConnector,
    483         domain: &'dom str,
    484     ) -> Result<Self, InvalidDnsNameError> {
    485         ServerName::try_from(domain).map(|dom| Self { connector, dom })
    486     }
    487 }
    488 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsConnect<S> for TlsConnector<'static> {
    489     type Stream = TlsStream<S>;
    490     type Error = io::Error;
    491     type Future = TlsConnectorFuture<S>;
    492     #[inline]
    493     fn connect(self, stream: S) -> Self::Future {
    494         TlsConnectorFuture(self.connector.connect(self.dom, stream))
    495     }
    496 }
    497 /// [`MakeTlsConnect`] based on [`tokio_rustls::TlsConnector`].
    498 #[cfg_attr(docsrs, doc(cfg(feature = "runtime")))]
    499 #[cfg(feature = "runtime")]
    500 #[derive(Clone)]
    501 pub struct MakeTlsConnector(tokio_rustls::TlsConnector);
    502 #[cfg(feature = "runtime")]
    503 impl MakeTlsConnector {
    504     /// Constructs `Self` based on `connector`.
    505     #[inline]
    506     #[must_use]
    507     pub const fn new(connector: tokio_rustls::TlsConnector) -> Self {
    508         Self(connector)
    509     }
    510 }
    511 #[cfg(feature = "runtime")]
    512 impl<S: AsyncRead + AsyncWrite + Unpin> MakeTlsConnect<S> for MakeTlsConnector {
    513     type Stream = TlsStream<S>;
    514     type TlsConnect = TlsConnector<'static>;
    515     type Error = InvalidDnsNameError;
    516     #[inline]
    517     fn make_tls_connect(&mut self, domain: &str) -> Result<Self::TlsConnect, Self::Error> {
    518         ServerName::try_from(domain).map(|dom| TlsConnector {
    519             connector: self.0.clone(),
    520             dom: dom.to_owned(),
    521         })
    522     }
    523 }
    524 /// Removes any ALPN values and adds the `b"postgresql"` ALPN.
    525 #[inline]
    526 pub fn set_postgresql_alpn(config: &mut ClientConfig) {
    527     config.alpn_protocols.clear();
    528     config.alpn_protocols.push(vec![
    529         b'p', b'o', b's', b't', b'g', b'r', b'e', b's', b'q', b'l',
    530     ]);
    531 }
    532 #[cfg(test)]
    533 mod tests {
    534     #[cfg(feature = "runtime")]
    535     extern crate alloc;
    536     use super::Hash;
    537     #[cfg(feature = "runtime")]
    538     use super::MakeTlsConnector;
    539     #[cfg(feature = "runtime")]
    540     use alloc::sync::Arc;
    541     #[cfg(feature = "runtime")]
    542     use core::{
    543         net::{IpAddr, Ipv6Addr},
    544         time::Duration,
    545     };
    546     use sha2::{Digest as _, Sha224, Sha256, Sha384, Sha512};
    547     #[cfg(feature = "runtime")]
    548     use std::{fs, io::Error};
    549     #[cfg(feature = "runtime")]
    550     use tokio::runtime::Builder;
    551     #[cfg(feature = "runtime")]
    552     use tokio_postgres::{
    553         Config,
    554         config::{ChannelBinding, LoadBalanceHosts, SslMode, TargetSessionAttrs},
    555     };
    556     #[cfg(feature = "runtime")]
    557     use tokio_rustls::rustls::{
    558         self, ClientConfig, RootCertStore,
    559         pki_types::{
    560             CertificateDer, PrivateKeyDer,
    561             pem::{Error as PemErr, PemObject as _},
    562         },
    563         version::TLS13,
    564     };
    565     #[test]
    566     fn test_parse_ed25519() {
    567         /// Certificate that uses Ed25519.
    568         const CERT: &[u8] = [
    569             48, 130, 1, 125, 48, 130, 1, 47, 160, 3, 2, 1, 2, 2, 1, 29, 48, 5, 6, 3, 43, 101, 112,
    570             48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 3, 85, 4, 10,
    571             12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 82, 111,
    572             111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 56, 48, 53, 90, 23, 13,
    573             50, 53, 48, 51, 49, 54, 48, 48, 52, 56, 48, 53, 90, 48, 43, 49, 11, 48, 9, 6, 3, 85, 4,
    574             6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 116, 49, 13,
    575             48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 42, 48, 5, 6, 3, 43, 101, 112, 3,
    576             33, 0, 142, 168, 95, 146, 122, 142, 177, 52, 239, 161, 27, 41, 80, 58, 167, 248, 211,
    577             181, 154, 201, 26, 195, 207, 27, 132, 228, 110, 149, 95, 212, 44, 202, 163, 117, 48,
    578             115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 238, 12, 127, 172, 94, 237, 69, 62, 240,
    579             99, 1, 2, 35, 161, 201, 129, 19, 85, 0, 227, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2,
    580             48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1,
    581             255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48,
    582             22, 128, 20, 199, 177, 144, 22, 54, 182, 183, 202, 234, 246, 98, 108, 85, 32, 30, 132,
    583             146, 221, 218, 80, 48, 5, 6, 3, 43, 101, 112, 3, 65, 0, 133, 253, 192, 202, 50, 167,
    584             57, 5, 246, 17, 58, 232, 188, 41, 147, 232, 35, 206, 147, 181, 0, 139, 95, 3, 24, 139,
    585             17, 102, 113, 186, 146, 163, 97, 157, 255, 50, 193, 230, 159, 170, 218, 35, 56, 99, 89,
    586             251, 173, 97, 106, 15, 52, 71, 209, 69, 109, 216, 140, 235, 37, 23, 185, 173, 215, 0,
    587         ]
    588         .as_slice();
    589         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    590             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
    591             _ => false,
    592         }),);
    593     }
    594     #[test]
    595     fn test_parse_ecdsa_sha256() {
    596         /// Certificate that uses ECDSA with SHA-256.
    597         const CERT: &[u8] = [
    598             48, 130, 1, 189, 48, 130, 1, 99, 160, 3, 2, 1, 2, 2, 1, 27, 48, 10, 6, 8, 42, 134, 72,
    599             206, 61, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
    600             6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
    601             12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 49, 51,
    602             48, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 49, 51, 48, 90, 48, 43, 49, 11, 48,
    603             9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
    604             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 89, 48, 19, 6, 7,
    605             42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66, 0, 4, 195, 27,
    606             22, 133, 220, 98, 146, 255, 201, 209, 114, 117, 93, 119, 207, 46, 228, 132, 210, 187,
    607             134, 197, 201, 194, 147, 51, 111, 17, 187, 179, 129, 180, 129, 62, 164, 27, 199, 95,
    608             59, 16, 167, 134, 233, 53, 127, 194, 187, 144, 193, 106, 100, 37, 104, 219, 164, 155,
    609             58, 210, 106, 12, 192, 247, 72, 183, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4,
    610             22, 4, 20, 84, 214, 179, 28, 250, 191, 223, 88, 72, 221, 229, 63, 123, 177, 146, 167,
    611             224, 18, 24, 0, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29,
    612             15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43,
    613             6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 43, 80, 133,
    614             205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 100, 138, 233, 225, 48, 10,
    615             6, 8, 42, 134, 72, 206, 61, 4, 3, 2, 3, 72, 0, 48, 69, 2, 32, 107, 43, 12, 27, 111,
    616             216, 19, 191, 199, 1, 202, 22, 147, 43, 16, 188, 36, 156, 141, 80, 115, 124, 160, 211,
    617             19, 123, 41, 216, 94, 19, 236, 0, 2, 33, 0, 164, 138, 200, 40, 159, 245, 38, 70, 207,
    618             160, 121, 19, 56, 240, 18, 222, 191, 196, 217, 129, 24, 92, 238, 43, 39, 29, 57, 85,
    619             56, 11, 178, 88,
    620         ]
    621         .as_slice();
    622         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    623             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
    624             _ => false,
    625         }),);
    626     }
    627     #[test]
    628     fn test_parse_ecdsa_sha384() {
    629         /// Certificate that uses ECDSA with SHA-384.
    630         const CERT: &[u8] = [
    631             48, 130, 1, 218, 48, 130, 1, 128, 160, 3, 2, 1, 2, 2, 1, 25, 48, 10, 6, 8, 42, 134, 72,
    632             206, 61, 4, 3, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
    633             6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
    634             12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 57, 51,
    635             55, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 57, 51, 55, 90, 48, 43, 49, 11, 48,
    636             9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
    637             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 118, 48, 16, 6, 7,
    638             42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 246, 106, 156, 228,
    639             83, 166, 254, 62, 196, 22, 127, 171, 204, 182, 154, 182, 253, 35, 95, 120, 253, 231,
    640             78, 20, 146, 203, 186, 201, 147, 48, 197, 96, 195, 202, 5, 235, 201, 168, 28, 117, 62,
    641             47, 121, 211, 58, 67, 32, 96, 129, 15, 215, 172, 135, 222, 180, 101, 196, 18, 41, 107,
    642             6, 161, 172, 183, 217, 106, 227, 24, 140, 13, 145, 245, 137, 185, 4, 78, 210, 56, 235,
    643             159, 203, 241, 203, 239, 39, 90, 98, 227, 215, 221, 119, 65, 47, 68, 2, 200, 163, 117,
    644             48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 88, 91, 22, 70, 200, 54, 182, 100,
    645             191, 186, 73, 152, 174, 87, 56, 64, 26, 173, 27, 43, 48, 12, 6, 3, 85, 29, 19, 1, 1,
    646             255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29,
    647             37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35,
    648             4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123,
    649             149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 72, 0,
    650             48, 69, 2, 33, 0, 210, 47, 45, 107, 132, 43, 161, 65, 132, 15, 148, 184, 203, 125, 234,
    651             232, 111, 216, 238, 113, 187, 201, 114, 177, 218, 234, 201, 126, 204, 118, 80, 225, 2,
    652             32, 67, 111, 72, 96, 182, 167, 191, 130, 118, 105, 253, 133, 58, 38, 65, 112, 234, 3,
    653             23, 77, 182, 0, 195, 80, 181, 65, 76, 243, 4, 145, 200, 255,
    654         ]
    655         .as_slice();
    656         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    657             Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT),
    658             _ => false,
    659         }),);
    660     }
    661     #[test]
    662     fn test_parse_ecdsa_sha512() {
    663         /// Certificate that uses ECDSA with SHA-512.
    664         const CERT: &[u8] = [
    665             48, 130, 2, 1, 48, 130, 1, 166, 160, 3, 2, 1, 2, 2, 1, 24, 48, 10, 6, 8, 42, 134, 72,
    666             206, 61, 4, 3, 4, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
    667             6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
    668             12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 56, 51,
    669             54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 56, 51, 54, 90, 48, 43, 49, 11, 48,
    670             9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
    671             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 129, 155, 48, 16, 6,
    672             7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 35, 3, 129, 134, 0, 4, 1, 86, 143,
    673             210, 217, 20, 143, 103, 172, 34, 97, 62, 173, 15, 43, 199, 93, 220, 81, 75, 137, 219,
    674             111, 217, 127, 6, 8, 115, 160, 121, 146, 138, 64, 110, 14, 193, 98, 164, 226, 208, 89,
    675             120, 108, 30, 107, 77, 194, 63, 41, 112, 173, 112, 44, 85, 54, 155, 168, 189, 235, 129,
    676             214, 104, 152, 198, 252, 62, 1, 87, 193, 205, 162, 152, 15, 26, 111, 231, 183, 106,
    677             145, 29, 251, 188, 148, 239, 192, 53, 186, 34, 13, 104, 231, 85, 127, 17, 67, 54, 116,
    678             232, 85, 23, 143, 68, 171, 30, 25, 155, 201, 171, 106, 89, 20, 234, 12, 192, 68, 102,
    679             166, 50, 246, 130, 117, 62, 222, 142, 98, 62, 43, 9, 109, 74, 138, 180, 163, 117, 48,
    680             115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 148, 160, 104, 250, 171, 155, 48, 171, 13,
    681             164, 221, 144, 240, 194, 250, 9, 183, 72, 158, 141, 48, 12, 6, 3, 85, 29, 19, 1, 1,
    682             255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29,
    683             37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35,
    684             4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123,
    685             149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 4, 3, 73, 0,
    686             48, 70, 2, 33, 0, 179, 24, 50, 50, 127, 141, 167, 197, 29, 35, 234, 81, 215, 112, 233,
    687             218, 84, 151, 136, 117, 40, 106, 164, 156, 205, 75, 6, 133, 64, 52, 161, 116, 2, 33, 0,
    688             141, 178, 46, 201, 22, 126, 42, 84, 96, 191, 175, 219, 140, 72, 252, 6, 152, 112, 113,
    689             232, 38, 101, 11, 215, 20, 143, 22, 199, 38, 237, 179, 108,
    690         ]
    691         .as_slice();
    692         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    693             Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT),
    694             _ => false,
    695         }),);
    696     }
    697     #[test]
    698     fn test_parse_ecdsa_sha224() {
    699         /// Certificate that uses ECDSA with SHA-224.
    700         const CERT: &[u8] = [
    701             48, 130, 1, 178, 48, 130, 1, 88, 160, 3, 2, 1, 2, 2, 1, 28, 48, 10, 6, 8, 42, 134, 72,
    702             206, 61, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
    703             6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
    704             12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 50, 49,
    705             52, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 50, 49, 52, 90, 48, 43, 49, 11, 48,
    706             9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
    707             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 78, 48, 16, 6, 7,
    708             42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 33, 3, 58, 0, 4, 235, 241, 149, 78,
    709             60, 248, 123, 132, 195, 228, 188, 151, 240, 28, 76, 198, 207, 121, 165, 126, 245, 158,
    710             214, 232, 69, 198, 114, 117, 86, 137, 15, 86, 40, 171, 27, 36, 8, 43, 190, 138, 193,
    711             136, 118, 43, 29, 119, 182, 21, 14, 123, 110, 81, 81, 72, 44, 195, 163, 117, 48, 115,
    712             48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 203, 141, 20, 54, 48, 176, 180, 57, 46, 1, 91,
    713             221, 116, 154, 205, 81, 187, 184, 24, 211, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2,
    714             48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1,
    715             255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48,
    716             22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250,
    717             100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 1, 3, 72, 0, 48, 69, 2,
    718             32, 64, 186, 179, 226, 82, 176, 87, 158, 166, 22, 31, 27, 19, 190, 112, 167, 241, 159,
    719             33, 198, 60, 70, 68, 120, 19, 63, 33, 244, 236, 240, 216, 181, 2, 33, 0, 252, 183, 115,
    720             52, 189, 151, 44, 178, 62, 209, 159, 31, 154, 152, 69, 189, 121, 148, 57, 231, 27, 22,
    721             165, 212, 65, 202, 124, 15, 53, 150, 93, 183,
    722         ]
    723         .as_slice();
    724         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    725             Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT),
    726             _ => false,
    727         }),);
    728     }
    729     #[test]
    730     fn test_parse_rsa_sha256() {
    731         /// Certificate that uses RSA with SHA-256.
    732         const CERT: &[u8] = [
    733             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 31, 48, 13, 6, 9, 42, 134, 72,
    734             134, 247, 13, 1, 1, 11, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    735             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    736             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
    737             48, 51, 48, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 51, 48, 53, 90, 48, 43,
    738             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    739             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    740             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    741             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    742             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    743             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    744             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    745             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    746             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    747             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    748             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    749             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    750             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    751             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    752             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    753             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    754             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    755             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    756             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    757             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    758             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    759             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    760             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    761             11, 5, 0, 3, 130, 1, 1, 0, 28, 109, 109, 197, 99, 197, 36, 180, 154, 215, 173, 215, 24,
    762             94, 47, 218, 147, 163, 179, 123, 248, 3, 144, 109, 173, 207, 49, 113, 249, 188, 31,
    763             178, 16, 88, 88, 56, 11, 86, 127, 193, 23, 165, 65, 190, 84, 170, 156, 190, 52, 87,
    764             119, 213, 106, 184, 11, 204, 151, 148, 205, 100, 233, 46, 170, 45, 161, 100, 58, 46,
    765             105, 25, 150, 78, 146, 41, 100, 125, 203, 214, 238, 104, 251, 25, 183, 66, 102, 241,
    766             110, 56, 55, 205, 122, 234, 205, 90, 91, 247, 143, 129, 217, 6, 190, 120, 18, 190, 11,
    767             121, 207, 142, 170, 57, 236, 243, 113, 53, 167, 188, 26, 134, 175, 107, 195, 48, 119,
    768             78, 117, 157, 104, 247, 65, 122, 153, 234, 166, 88, 142, 228, 25, 120, 243, 51, 111, 8,
    769             43, 199, 255, 162, 186, 18, 64, 54, 96, 44, 138, 144, 237, 89, 176, 189, 245, 194, 96,
    770             232, 196, 0, 50, 51, 98, 32, 163, 177, 130, 113, 41, 116, 33, 40, 190, 111, 79, 108,
    771             107, 159, 65, 87, 222, 173, 170, 39, 29, 97, 240, 107, 130, 101, 247, 123, 85, 123,
    772             247, 221, 89, 159, 114, 157, 35, 153, 22, 127, 149, 224, 158, 236, 4, 137, 193, 135,
    773             136, 97, 222, 83, 232, 205, 148, 127, 139, 78, 220, 10, 183, 139, 205, 190, 181, 36,
    774             61, 155, 88, 163, 50, 120, 153, 41, 182, 75, 219, 95, 25, 40, 229, 106, 87, 215, 77,
    775             50, 219, 97,
    776         ]
    777         .as_slice();
    778         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    779             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
    780             _ => false,
    781         }),);
    782     }
    783     #[test]
    784     fn test_parse_rsa_sha384() {
    785         /// Certificate that uses RSA with SHA-384.
    786         const CERT: &[u8] = [
    787             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 32, 48, 13, 6, 9, 42, 134, 72,
    788             134, 247, 13, 1, 1, 12, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    789             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    790             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
    791             48, 53, 52, 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 53, 52, 54, 90, 48, 43,
    792             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    793             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    794             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    795             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    796             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    797             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    798             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    799             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    800             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    801             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    802             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    803             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    804             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    805             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    806             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    807             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    808             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    809             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    810             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    811             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    812             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    813             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    814             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    815             12, 5, 0, 3, 130, 1, 1, 0, 135, 249, 101, 184, 225, 162, 164, 193, 23, 81, 98, 221,
    816             134, 87, 34, 94, 229, 131, 221, 17, 38, 61, 156, 200, 113, 94, 244, 188, 226, 84, 74,
    817             96, 205, 237, 230, 242, 168, 238, 178, 133, 68, 188, 80, 244, 60, 42, 169, 54, 66, 79,
    818             104, 66, 251, 27, 240, 108, 16, 46, 175, 62, 240, 194, 7, 181, 238, 211, 118, 149, 150,
    819             46, 97, 39, 28, 173, 225, 49, 73, 206, 147, 101, 12, 192, 218, 119, 208, 73, 20, 208,
    820             229, 216, 133, 213, 28, 165, 70, 20, 158, 114, 223, 40, 121, 13, 236, 218, 165, 237,
    821             164, 196, 94, 80, 120, 49, 212, 241, 213, 197, 201, 104, 67, 223, 130, 148, 197, 251,
    822             199, 167, 6, 89, 146, 139, 141, 32, 78, 72, 190, 146, 94, 251, 208, 47, 118, 173, 111,
    823             92, 241, 102, 26, 233, 145, 46, 220, 230, 5, 147, 220, 92, 240, 133, 24, 192, 71, 49,
    824             252, 84, 163, 132, 34, 139, 12, 106, 4, 189, 151, 37, 34, 123, 26, 42, 84, 46, 232, 14,
    825             129, 101, 84, 26, 25, 219, 11, 115, 214, 106, 12, 75, 199, 248, 218, 239, 209, 32, 159,
    826             40, 192, 11, 2, 175, 51, 232, 20, 8, 72, 188, 184, 177, 22, 251, 238, 42, 74, 21, 25,
    827             93, 77, 184, 5, 207, 101, 98, 60, 214, 173, 169, 56, 54, 211, 167, 55, 34, 14, 184, 25,
    828             4, 170, 108, 94, 110, 27, 45, 11, 22, 61, 130, 63, 214, 168, 72,
    829         ]
    830         .as_slice();
    831         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    832             Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT),
    833             _ => false,
    834         }),);
    835     }
    836     #[test]
    837     fn test_parse_rsa_sha512() {
    838         /// Certificate that uses RSA with SHA-512.
    839         const CERT: &[u8] = [
    840             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 33, 48, 13, 6, 9, 42, 134, 72,
    841             134, 247, 13, 1, 1, 13, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    842             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    843             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
    844             48, 54, 52, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 54, 52, 53, 90, 48, 43,
    845             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    846             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    847             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    848             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    849             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    850             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    851             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    852             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    853             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    854             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    855             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    856             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    857             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    858             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    859             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    860             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    861             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    862             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    863             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    864             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    865             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    866             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    867             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    868             13, 5, 0, 3, 130, 1, 1, 0, 106, 7, 136, 82, 232, 55, 0, 98, 9, 211, 201, 57, 239, 67,
    869             167, 139, 225, 164, 231, 255, 10, 52, 47, 234, 254, 75, 239, 241, 39, 6, 226, 209, 210,
    870             169, 200, 32, 255, 83, 159, 23, 146, 9, 109, 173, 236, 216, 253, 199, 229, 23, 227, 33,
    871             56, 98, 109, 59, 2, 167, 29, 118, 251, 82, 193, 39, 244, 191, 166, 194, 160, 105, 197,
    872             190, 213, 141, 193, 50, 45, 245, 163, 229, 116, 221, 29, 194, 91, 198, 187, 21, 224,
    873             95, 17, 203, 148, 160, 4, 15, 54, 249, 69, 12, 18, 25, 58, 190, 205, 44, 157, 184, 1,
    874             25, 64, 219, 237, 196, 33, 101, 255, 146, 232, 112, 247, 214, 174, 252, 152, 146, 142,
    875             231, 81, 35, 240, 216, 98, 136, 65, 179, 237, 207, 229, 198, 72, 175, 244, 31, 126,
    876             106, 107, 100, 200, 81, 227, 41, 61, 26, 122, 226, 121, 219, 131, 212, 206, 238, 14,
    877             210, 70, 60, 107, 115, 214, 67, 180, 133, 157, 114, 138, 63, 249, 71, 235, 41, 246, 14,
    878             14, 4, 254, 208, 215, 111, 196, 248, 117, 61, 44, 67, 185, 11, 132, 10, 188, 220, 110,
    879             78, 61, 171, 88, 172, 161, 1, 223, 52, 75, 101, 55, 249, 125, 178, 141, 127, 0, 246,
    880             176, 34, 120, 93, 214, 37, 210, 148, 217, 149, 255, 63, 32, 58, 8, 71, 179, 62, 119,
    881             14, 47, 191, 207, 137, 22, 255, 21, 71, 46, 42, 176, 31, 206, 146, 248, 105,
    882         ]
    883         .as_slice();
    884         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    885             Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT),
    886             _ => false,
    887         }),);
    888     }
    889     #[test]
    890     fn test_parse_rsa_sha224() {
    891         /// Certificate that uses RSA with SHA-224.
    892         const CERT: &[u8] = [
    893             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 30, 48, 13, 6, 9, 42, 134, 72,
    894             134, 247, 13, 1, 1, 14, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    895             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    896             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48,
    897             53, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 53, 57, 50, 56, 90, 48, 43,
    898             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    899             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    900             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    901             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    902             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    903             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    904             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    905             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    906             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    907             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    908             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    909             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    910             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    911             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    912             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    913             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    914             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    915             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    916             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    917             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    918             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    919             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    920             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    921             14, 5, 0, 3, 130, 1, 1, 0, 122, 121, 0, 201, 250, 195, 66, 213, 60, 117, 213, 188, 93,
    922             193, 88, 130, 241, 219, 111, 238, 109, 38, 220, 131, 164, 12, 135, 169, 58, 140, 214,
    923             211, 93, 51, 204, 242, 10, 119, 123, 23, 69, 67, 135, 151, 245, 23, 144, 61, 233, 229,
    924             122, 189, 111, 89, 190, 100, 251, 86, 185, 246, 40, 121, 190, 192, 199, 119, 232, 209,
    925             202, 23, 20, 46, 48, 235, 175, 240, 225, 106, 6, 24, 239, 172, 51, 196, 63, 189, 210,
    926             167, 244, 87, 245, 193, 130, 33, 171, 165, 117, 180, 25, 250, 21, 6, 208, 124, 254, 64,
    927             180, 50, 124, 234, 179, 121, 183, 0, 71, 118, 28, 115, 86, 117, 60, 96, 164, 33, 54, 1,
    928             86, 234, 132, 146, 156, 221, 52, 28, 39, 237, 128, 75, 157, 169, 203, 26, 48, 74, 4,
    929             129, 162, 139, 235, 16, 74, 236, 151, 0, 150, 234, 246, 204, 180, 240, 31, 92, 129, 51,
    930             221, 118, 10, 192, 140, 32, 33, 21, 223, 113, 35, 86, 47, 236, 159, 252, 52, 185, 41,
    931             151, 56, 126, 251, 165, 126, 214, 27, 213, 169, 211, 174, 26, 55, 21, 11, 187, 189, 96,
    932             67, 141, 124, 178, 51, 37, 80, 17, 220, 210, 193, 243, 127, 46, 82, 75, 172, 187, 156,
    933             222, 186, 3, 13, 194, 104, 234, 131, 96, 99, 34, 1, 61, 149, 219, 33, 227, 34, 215,
    934             211, 82, 106, 57, 61, 185, 178, 1, 191, 14, 196, 52, 5, 38, 27, 232,
    935         ]
    936         .as_slice();
    937         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    938             Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT),
    939             _ => false,
    940         }),);
    941     }
    942     #[test]
    943     fn test_parse_rsa_sha1() {
    944         /// Certificate that uses RSA with SHA-1.
    945         const CERT: &[u8] = [
    946             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 34, 48, 13, 6, 9, 42, 134, 72,
    947             134, 247, 13, 1, 1, 5, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    948             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    949             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
    950             48, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 57, 50, 56, 90, 48, 43,
    951             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    952             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    953             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    954             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    955             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    956             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    957             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    958             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    959             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    960             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    961             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    962             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    963             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    964             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    965             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    966             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    967             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    968             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    969             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    970             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    971             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    972             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    973             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    974             5, 5, 0, 3, 130, 1, 1, 0, 12, 93, 61, 154, 152, 205, 44, 219, 157, 214, 4, 162, 93, 85,
    975             60, 231, 231, 206, 193, 160, 133, 28, 61, 113, 102, 120, 137, 120, 175, 11, 244, 113,
    976             217, 81, 151, 123, 210, 108, 156, 145, 99, 158, 104, 10, 25, 129, 95, 128, 140, 44,
    977             153, 65, 175, 32, 37, 189, 186, 43, 101, 153, 98, 160, 95, 13, 154, 86, 221, 99, 210,
    978             157, 25, 41, 98, 79, 252, 2, 8, 221, 120, 71, 54, 221, 34, 180, 109, 181, 185, 58, 2,
    979             119, 167, 50, 172, 167, 192, 136, 24, 227, 40, 211, 18, 98, 2, 175, 174, 42, 100, 136,
    980             83, 116, 7, 50, 50, 215, 164, 90, 49, 231, 106, 240, 246, 95, 236, 60, 198, 97, 200,
    981             140, 23, 168, 183, 174, 132, 39, 251, 61, 112, 226, 66, 68, 16, 23, 213, 129, 86, 196,
    982             248, 82, 141, 82, 107, 246, 224, 37, 94, 95, 134, 139, 75, 15, 70, 54, 47, 80, 19, 143,
    983             48, 171, 113, 130, 226, 180, 39, 18, 44, 117, 113, 196, 20, 11, 82, 174, 251, 197, 216,
    984             152, 229, 188, 148, 191, 165, 149, 50, 127, 172, 111, 95, 194, 63, 238, 112, 154, 85,
    985             98, 18, 236, 13, 123, 232, 90, 47, 180, 36, 148, 77, 192, 45, 113, 150, 10, 254, 99, 0,
    986             30, 87, 80, 22, 61, 78, 66, 180, 251, 220, 8, 78, 175, 251, 27, 201, 79, 197, 45, 127,
    987             143, 163, 7, 252, 246, 45, 127, 87, 224, 125, 175, 245, 115,
    988         ]
    989         .as_slice();
    990         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    991             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
    992             _ => false,
    993         }),);
    994     }
    995     #[test]
    996     fn test_parse_dsa_sha256() {
    997         /// Certificate that uses DSA with SHA-256.
    998         const CERT: &[u8] = [
    999             48, 130, 4, 162, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 37, 48, 11, 6, 9, 96, 134, 72,
   1000             1, 101, 3, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48,
   1001             14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4,
   1002             3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 51,
   1003             48, 51, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 51, 48, 51, 90, 48, 43, 49, 11,
   1004             48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101,
   1005             115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48,
   1006             130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11,
   1007             194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67,
   1008             45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189,
   1009             125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106,
   1010             249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192,
   1011             180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8,
   1012             75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221,
   1013             159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21,
   1014             232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186,
   1015             56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25,
   1016             188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71,
   1017             24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175,
   1018             25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120,
   1019             227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29,
   1020             85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173,
   1021             164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80,
   1022             166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67,
   1023             97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159,
   1024             198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182,
   1025             163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4,
   1026             191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166,
   1027             152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89,
   1028             24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147,
   1029             229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251,
   1030             218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172,
   1031             154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89,
   1032             151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111,
   1033             33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175,
   1034             201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167,
   1035             149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186,
   1036             3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126,
   1037             171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219,
   1038             191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80,
   1039             203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233,
   1040             163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56,
   1041             179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9,
   1042             166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217,
   1043             71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88,
   1044             47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164,
   1045             244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11,
   1046             153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26,
   1047             231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115,
   1048             39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171,
   1049             31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68,
   1050             163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53,
   1051             83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19,
   1052             1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
   1053             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
   1054             35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48,
   1055             16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 2, 3, 64,
   1056             0, 48, 61, 2, 28, 116, 130, 114, 201, 119, 192, 122, 114, 52, 255, 182, 233, 56, 153,
   1057             169, 135, 12, 49, 236, 107, 72, 244, 178, 174, 32, 27, 13, 226, 2, 29, 0, 170, 35, 77,
   1058             179, 10, 59, 85, 118, 124, 99, 48, 21, 125, 235, 57, 27, 60, 222, 102, 120, 20, 16,
   1059             148, 80, 118, 28, 75, 176,
   1060         ]
   1061         .as_slice();
   1062         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
   1063             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
   1064             _ => false,
   1065         }),);
   1066     }
   1067     #[test]
   1068     fn test_parse_dsa_sha224() {
   1069         /// Certificate that uses DSA with SHA-224.
   1070         const CERT: &[u8] = [
   1071             48, 130, 4, 163, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 36, 48, 11, 6, 9, 96, 134, 72,
   1072             1, 101, 3, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48,
   1073             14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4,
   1074             3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 50,
   1075             50, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 50, 50, 53, 90, 48, 43, 49, 11,
   1076             48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101,
   1077             115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48,
   1078             130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11,
   1079             194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67,
   1080             45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189,
   1081             125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106,
   1082             249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192,
   1083             180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8,
   1084             75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221,
   1085             159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21,
   1086             232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186,
   1087             56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25,
   1088             188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71,
   1089             24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175,
   1090             25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120,
   1091             227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29,
   1092             85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173,
   1093             164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80,
   1094             166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67,
   1095             97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159,
   1096             198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182,
   1097             163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4,
   1098             191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166,
   1099             152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89,
   1100             24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147,
   1101             229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251,
   1102             218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172,
   1103             154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89,
   1104             151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111,
   1105             33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175,
   1106             201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167,
   1107             149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186,
   1108             3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126,
   1109             171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219,
   1110             191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80,
   1111             203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233,
   1112             163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56,
   1113             179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9,
   1114             166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217,
   1115             71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88,
   1116             47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164,
   1117             244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11,
   1118             153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26,
   1119             231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115,
   1120             39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171,
   1121             31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68,
   1122             163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53,
   1123             83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19,
   1124             1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
   1125             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
   1126             35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48,
   1127             16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 1, 3, 65,
   1128             0, 48, 62, 2, 29, 0, 178, 65, 35, 200, 113, 88, 88, 146, 71, 230, 14, 148, 101, 161,
   1129             118, 55, 125, 175, 226, 137, 63, 147, 215, 75, 207, 115, 150, 22, 2, 29, 0, 233, 44,
   1130             225, 196, 27, 225, 84, 166, 253, 231, 247, 162, 41, 134, 178, 45, 218, 17, 24, 35, 120,
   1131             100, 231, 84, 218, 88, 80, 255,
   1132         ]
   1133         .as_slice();
   1134         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
   1135             Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT),
   1136             _ => false,
   1137         }),);
   1138     }
   1139     #[test]
   1140     fn test_parse_dsa_sha1() {
   1141         /// Certificate that uses DSA with SHA-1.
   1142         const CERT: &[u8] = [
   1143             48, 130, 4, 157, 48, 130, 4, 77, 160, 3, 2, 1, 2, 2, 1, 35, 48, 9, 6, 7, 42, 134, 72,
   1144             206, 56, 4, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6,
   1145             3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12,
   1146             4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 49, 57, 48, 55,
   1147             90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 49, 57, 48, 55, 90, 48, 43, 49, 11, 48, 9,
   1148             6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
   1149             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 130,
   1150             2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 194,
   1151             123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 45,
   1152             138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189,
   1153             125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106,
   1154             249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192,
   1155             180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8,
   1156             75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221,
   1157             159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21,
   1158             232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186,
   1159             56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25,
   1160             188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71,
   1161             24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175,
   1162             25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120,
   1163             227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29,
   1164             85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173,
   1165             164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80,
   1166             166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67,
   1167             97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159,
   1168             198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182,
   1169             163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4,
   1170             191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166,
   1171             152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89,
   1172             24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147,
   1173             229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251,
   1174             218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172,
   1175             154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89,
   1176             151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111,
   1177             33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175,
   1178             201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167,
   1179             149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186,
   1180             3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126,
   1181             171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219,
   1182             191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80,
   1183             203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233,
   1184             163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56,
   1185             179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9,
   1186             166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217,
   1187             71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88,
   1188             47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164,
   1189             244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11,
   1190             153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26,
   1191             231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115,
   1192             39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171,
   1193             31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68,
   1194             163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53,
   1195             83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19,
   1196             1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
   1197             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
   1198             35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48,
   1199             16, 195, 8, 166, 231, 232, 253, 48, 9, 6, 7, 42, 134, 72, 206, 56, 4, 3, 3, 63, 0, 48,
   1200             60, 2, 28, 50, 39, 36, 45, 25, 91, 93, 174, 107, 192, 215, 113, 214, 88, 122, 108, 97,
   1201             82, 121, 182, 191, 182, 66, 173, 207, 255, 17, 86, 2, 28, 28, 133, 69, 48, 198, 204,
   1202             39, 177, 136, 73, 222, 95, 114, 218, 219, 54, 88, 17, 114, 204, 214, 83, 20, 137, 75,
   1203             203, 163, 99,
   1204         ]
   1205         .as_slice();
   1206         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
   1207             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
   1208             _ => false,
   1209         }),);
   1210     }
   1211     #[cfg(feature = "runtime")]
   1212     #[derive(Debug)]
   1213     enum E {
   1214         #[expect(dead_code, reason = "does not matter for tests")]
   1215         Io(Error),
   1216         #[expect(dead_code, reason = "does not matter for tests")]
   1217         Rustls(rustls::Error),
   1218         #[expect(dead_code, reason = "does not matter for tests")]
   1219         Postgres(tokio_postgres::Error),
   1220         NoRootCert,
   1221         MultipleRootCerts,
   1222         NoClientKey,
   1223         MultipleClientKeys,
   1224         #[expect(dead_code, reason = "does not matter for tests")]
   1225         RustlsPem(PemErr),
   1226     }
   1227     #[cfg(feature = "runtime")]
   1228     impl From<Error> for E {
   1229         fn from(value: Error) -> Self {
   1230             Self::Io(value)
   1231         }
   1232     }
   1233     #[cfg(feature = "runtime")]
   1234     impl From<rustls::Error> for E {
   1235         fn from(value: rustls::Error) -> Self {
   1236             Self::Rustls(value)
   1237         }
   1238     }
   1239     #[cfg(feature = "runtime")]
   1240     impl From<tokio_postgres::Error> for E {
   1241         fn from(value: tokio_postgres::Error) -> Self {
   1242             Self::Postgres(value)
   1243         }
   1244     }
   1245     #[cfg(feature = "runtime")]
   1246     impl From<PemErr> for E {
   1247         fn from(value: PemErr) -> Self {
   1248             Self::RustlsPem(value)
   1249         }
   1250     }
   1251     #[cfg(feature = "runtime")]
   1252     #[ignore]
   1253     #[test]
   1254     fn test_mutual_tls() -> Result<(), E> {
   1255         let root_cert_file = fs::read("test_data/ca.crt.pem")?;
   1256         let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice());
   1257         let key_file = fs::read("test_data/client.key.pem")?;
   1258         let mut key_iter = PrivateKeyDer::pem_slice_iter(key_file.as_slice());
   1259         let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice())
   1260             .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then(
   1261                 |cert_res| {
   1262                     cert_res.map_err(E::RustlsPem).and_then(|cert| {
   1263                         cert_iter.next().map_or_else(
   1264                             || {
   1265                                 let mut root_store = RootCertStore::empty();
   1266                                 root_store.add(cert).map_err(E::Rustls).map(|()| root_store)
   1267                             },
   1268                             |_| Err(E::MultipleRootCerts),
   1269                         )
   1270                     })
   1271                 },
   1272             )?)
   1273             .with_client_auth_cert(
   1274                 CertificateDer::pem_slice_iter(fs::read("test_data/client.crt.pem")?.as_slice())
   1275                     .try_fold(Vec::with_capacity(1), |mut certs, res| {
   1276                         res.map(|cert| {
   1277                             certs.push(cert);
   1278                             certs
   1279                         })
   1280                     })?,
   1281                 key_iter
   1282                     .next()
   1283                     .ok_or_else(|| E::NoClientKey)
   1284                     .and_then(|key_res| {
   1285                         key_res.map_err(E::RustlsPem).and_then(|key| {
   1286                             key_iter
   1287                                 .next()
   1288                                 .map_or_else(|| Ok(key), |_| Err(E::MultipleClientKeys))
   1289                         })
   1290                     })?,
   1291             )?;
   1292         super::set_postgresql_alpn(&mut conf);
   1293         let mut config = Config::new();
   1294         let connection = config
   1295             .application_name("test")
   1296             .channel_binding(ChannelBinding::Disable)
   1297             .connect_timeout(Duration::from_secs(4))
   1298             .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end())
   1299             .host(fs::read_to_string("test_data/host")?.trim_ascii_end())
   1300             .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST))
   1301             .keepalives(false)
   1302             .load_balance_hosts(LoadBalanceHosts::Disable)
   1303             .port(5432)
   1304             .ssl_mode(SslMode::Require)
   1305             .target_session_attrs(TargetSessionAttrs::Any)
   1306             .user(fs::read_to_string("test_data/user")?.trim_ascii_end())
   1307             .connect(MakeTlsConnector::new(Arc::new(conf).into()));
   1308         Builder::new_current_thread()
   1309             .enable_all()
   1310             .build()?
   1311             .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) })
   1312     }
   1313     #[cfg(feature = "runtime")]
   1314     #[ignore]
   1315     #[test]
   1316     fn test_password_and_channel_binding() -> Result<(), E> {
   1317         let root_cert_file = fs::read("test_data/ca.crt.pem")?;
   1318         let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice());
   1319         let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice())
   1320             .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then(
   1321                 |cert_res| {
   1322                     cert_res.map_err(E::RustlsPem).and_then(|cert| {
   1323                         cert_iter.next().map_or_else(
   1324                             || {
   1325                                 let mut root_store = RootCertStore::empty();
   1326                                 root_store.add(cert).map_err(E::Rustls).map(|()| root_store)
   1327                             },
   1328                             |_| Err(E::MultipleRootCerts),
   1329                         )
   1330                     })
   1331                 },
   1332             )?)
   1333             .with_no_client_auth();
   1334         super::set_postgresql_alpn(&mut conf);
   1335         let mut config = Config::new();
   1336         let connection = config
   1337             .application_name("test")
   1338             .channel_binding(ChannelBinding::Require)
   1339             .connect_timeout(Duration::from_secs(4))
   1340             .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end())
   1341             .host(fs::read_to_string("test_data/host")?.trim_ascii_end())
   1342             .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST))
   1343             .keepalives(false)
   1344             .load_balance_hosts(LoadBalanceHosts::Disable)
   1345             .password(fs::read("test_data/password")?.trim_ascii_end())
   1346             .port(5432)
   1347             .ssl_mode(SslMode::Require)
   1348             .target_session_attrs(TargetSessionAttrs::Any)
   1349             .user(fs::read_to_string("test_data/user")?.trim_ascii_end())
   1350             .connect(MakeTlsConnector::new(Arc::new(conf).into()));
   1351         Builder::new_current_thread()
   1352             .enable_all()
   1353             .build()?
   1354             .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) })
   1355     }
   1356 }