postgres_rustls

Rustls-based library for postgres.
git clone https://git.philomathiclife.com/repos/postgres_rustls
Log | Files | Refs | README

lib.rs (88440B)


      1 //! [![git]](https://git.philomathiclife.com/postgres_rustls/log.html) [![crates-io]](https://crates.io/crates/postgres_rustls) [![docs-rs]](crate)
      2 //!
      3 //! [git]: https://git.philomathiclife.com/git_badge.svg
      4 //! [crates-io]: https://img.shields.io/badge/crates.io-fc8d62?style=for-the-badge&labelColor=555555&logo=rust
      5 //! [docs-rs]: https://img.shields.io/badge/docs.rs-66c2a5?style=for-the-badge&labelColor=555555&logo=docs.rs
      6 //!
      7 //! `postgres_rustls` is a library that adds TLS support to [`tokio_postgres`] using [`tokio_rustls`].
      8 #![cfg_attr(docsrs, feature(doc_cfg))]
      9 #![expect(
     10     clippy::multiple_crate_versions,
     11     reason = "dependencies haven't updated to newest crates"
     12 )]
     13 use core::{
     14     pin::Pin,
     15     task::{Context, Poll},
     16 };
     17 use sha2::{
     18     Sha224, Sha256, Sha384, Sha512,
     19     digest::{Digest as _, OutputSizeUser, generic_array::GenericArray},
     20 };
     21 use std::io::{self, IoSlice};
     22 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
     23 #[cfg(feature = "runtime")]
     24 use tokio_postgres::tls::MakeTlsConnect;
     25 use tokio_postgres::tls::{ChannelBinding, TlsConnect as PgTlsConnect, TlsStream as PgTlsStream};
     26 use tokio_rustls::{
     27     Connect,
     28     client::TlsStream as RustlsStream,
     29     rustls::{
     30         ClientConfig,
     31         pki_types::{InvalidDnsNameError, ServerName},
     32     },
     33 };
     34 /// Hash for the leaf certificate provided by the PostgreSQL server.
     35 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
     36 enum Hash {
     37     /// SHA-256 hash.
     38     Sha256(GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>),
     39     /// SHA-384 hash.
     40     Sha384(GenericArray<u8, <Sha384 as OutputSizeUser>::OutputSize>),
     41     /// SHA-512 hash.
     42     Sha512(GenericArray<u8, <Sha512 as OutputSizeUser>::OutputSize>),
     43     /// SHA-224 hash.
     44     Sha224(GenericArray<u8, <Sha224 as OutputSizeUser>::OutputSize>),
     45 }
     46 impl From<Hash> for Vec<u8> {
     47     #[inline]
     48     fn from(value: Hash) -> Self {
     49         match value {
     50             Hash::Sha256(hash) => hash.to_vec(),
     51             Hash::Sha384(hash) => hash.to_vec(),
     52             Hash::Sha512(hash) => hash.to_vec(),
     53             Hash::Sha224(hash) => hash.to_vec(),
     54         }
     55     }
     56 }
     57 impl Hash {
     58     /// Parses `cert` as a DER-encoded X.509 v3 certifcate extracting the signature algorithm and using it to hash
     59     /// `cert` (based on the underlying hash algorithm of the signature algorithm).
     60     ///
     61     /// Note this will return `Some` for certain invalid payloads; however when the payload is a valid
     62     /// DER-encoded X.509 v3 certificate, then it is guaranteed to produce the correct hash. The idea is that
     63     /// in the event the leaf certificate is invalid, then it will be rejected by `rustls` anyway thus what
     64     /// this returns won't matter. We do this for simplicity and performance reasons since it allows us to
     65     /// avoid parsing the entire certificate and instead _only_ care about the signature algorithm.
     66     ///
     67     /// The only signature algorithms supported are the following:
     68     ///
     69     /// * id-Ed25519
     70     /// * ecdsa-with-SHA256
     71     /// * sha256WithRSAEncryption
     72     /// * ecdsa-with-SHA384
     73     /// * sha384WithRSAEncryption
     74     /// * ecdsa-with-SHA512
     75     /// * sha512WithRSAEncryption
     76     /// * ecdsa-with-SHA224
     77     /// * sha224WithRSAEncryption
     78     /// * dsa-with-SHA256
     79     /// * dsa-with-SHA224
     80     /// * dsa-with-SHA1
     81     /// * sha1WithRSAEncryption
     82     ///
     83     /// More may be added; but for ones that require additional dependencies, they will be hidden behind a feature.
     84     /// Additionally new ones must be supported by PostgreSQL, `tokio-postgres`, and `rustls`.
     85     //
     86     // [RFC 5280 § 4.1](https://www.rfc-editor.org/rfc/rfc5280#section-4.1) describes the ASN.1 format
     87     // of an X.509 v3 Certificate:
     88     //
     89     // ```asn
     90     // Certificate  ::=  SEQUENCE  {
     91     //   tbsCertificate       TBSCertificate,
     92     //   signatureAlgorithm   AlgorithmIdentifier,
     93     //   signatureValue       BIT STRING  }
     94     //
     95     // TBSCertificate  ::=  SEQUENCE  { … }
     96     //
     97     // AlgorithmIdentifier  ::=  SEQUENCE  {
     98     //   algorithm               OBJECT IDENTIFIER,
     99     //   parameters              ANY DEFINED BY algorithm OPTIONAL  }
    100     // ```
    101     //
    102     // [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690-202102-I/en)
    103     // describes how DER-encoding works.
    104     #[expect(
    105         clippy::arithmetic_side_effects,
    106         clippy::big_endian_bytes,
    107         clippy::indexing_slicing,
    108         reason = "comments justify their correctness"
    109     )]
    110     #[expect(clippy::too_many_lines, reason = "inflated by the const slices")]
    111     #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    112     fn from_der_cert(cert: &[u8]) -> Option<Self> {
    113         /// [RFC 8410 § 9](https://www.rfc-editor.org/rfc/rfc8410#section-9)
    114         /// defines id-Ed25519 as 1.3.101.112. This is encoded as below per X.690 § 8.19.
    115         const ED25519: &[u8] = [43, 101, 112].as_slice();
    116         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    117         /// defines ecdsa-with-SHA256 as 1.2.840.10045.4.3.2. This is encoded as
    118         /// below per X.690 § 8.19.
    119         const ECDSA_SHA256: &[u8] = [42, 134, 72, 206, 61, 4, 3, 2].as_slice();
    120         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    121         /// defines sha256WithRSAEncryption as 1.2.840.113549.1.1.11. This is encoded as
    122         /// below per X.690 § 8.19.
    123         const RSA_SHA256: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 11].as_slice();
    124         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    125         /// defines dsa-with-SHA256 as 2.16.840.1.101.3.4.3.2. This is encoded as
    126         /// below per X.690 § 8.19.
    127         const DSA_SHA256: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 2].as_slice();
    128         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    129         /// defines dsa-with-SHA1 as 1.2.840.10040.4.3. This is encoded as
    130         /// below per X.690 § 8.19.
    131         const DSA_SHA1: &[u8] = [42, 134, 72, 206, 56, 4, 3].as_slice();
    132         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    133         /// defines sha1WithRSAEncryption as 1.2.840.113549.1.1.5. This is encoded as
    134         /// below per X.690 § 8.19.
    135         const RSA_SHA1: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 5].as_slice();
    136         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    137         /// defines ecdsa-with-SHA384 as 1.2.840.10045.4.3.3. This is encoded as
    138         /// below per X.690 § 8.19.
    139         const ECDSA_SHA384: &[u8] = [42, 134, 72, 206, 61, 4, 3, 3].as_slice();
    140         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    141         /// defines sha384WithRSAEncryption as 1.2.840.113549.1.1.12. This is encoded as
    142         /// below per X.690 § 8.19.
    143         const RSA_SHA384: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 12].as_slice();
    144         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    145         /// defines ecdsa-with-SHA512 as 1.2.840.10045.4.3.4. This is encoded as
    146         /// below per X.690 § 8.19.
    147         const ECDSA_SHA512: &[u8] = [42, 134, 72, 206, 61, 4, 3, 4].as_slice();
    148         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    149         /// defines sha512WithRSAEncryption as 1.2.840.113549.1.1.13. This is encoded as
    150         /// below per X.690 § 8.19.
    151         const RSA_SHA512: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 13].as_slice();
    152         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    153         /// defines ecdsa-with-SHA224 as 1.2.840.10045.4.3.1. This is encoded as
    154         /// below per X.690 § 8.19.
    155         const ECDSA_SHA224: &[u8] = [42, 134, 72, 206, 61, 4, 3, 1].as_slice();
    156         /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
    157         /// defines sha224WithRSAEncryption as 1.2.840.113549.1.1.14. This is encoded as
    158         /// below per X.690 § 8.19.
    159         const RSA_SHA224: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 14].as_slice();
    160         /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
    161         /// defines dsa-with-SHA224 as 2.16.840.1.101.3.4.3.1. This is encoded as
    162         /// below per X.690 § 8.19.
    163         const DSA_SHA224: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 1].as_slice();
    164         // The first octet represents a constructed sequence (i.e., 0x30) and the second octet represents
    165         // the (possibly encoded) length of the remaining payload.
    166         cert.split_at_checked(2).and_then(|(cert_seq, cert_rem)| {
    167             // This won't `panic` since `cert_seq.len() == 2`.
    168             // This represents the (possibly encoded) length.
    169             //
    170             // We don't care about the actual length of the payload. We only care about the number of bytes
    171             // we need to skip until the (possibly encoded) length of the constructed sequence of
    172             // tbsCertificate.
    173             match cert_seq[1] {
    174                 // The length of the payload is represented with this byte; thus we only need to skip
    175                 // the constructed sequence byte (i.e., 0x30) of tbsCertificate.
    176                 ..=127 => Some(1),
    177                 // The length of the payload is invalid since DER-encoded lengths must use the minimum
    178                 // number of bytes possible. The high bit is set iff one or more octets are needed to encode
    179                 // the actual length. The number of octets is represented by the remaining bits; thus this
    180                 // means there are 0 bytes to encode the length, but then it should have been encoded as
    181                 // `0` and not `128`.
    182                 //
    183                 // 255 is not allowed to be used per § 8.1.3.5.
    184                 128 | 255 => None,
    185                 // The remaining bits represent the number of bytes that it takes to encode the length;
    186                 // thus we subtract 128 and add 1 to account for the constructed sequence byte (i.e., 0x30)
    187                 // of tbsCertificate. This is the same as just subtracting 127.
    188                 //
    189                 // Underflow clearly cannot occur since `len` is at least 129.
    190                 len @ 129.. => Some(usize::from(len) - 127),
    191             }
    192             .and_then(|skip| {
    193                 cert_rem.get(skip..).and_then(|tbs_rem_with_len| {
    194                     // Remaining payload starting from the (possibly encoded) length of tbsCertificate.
    195                     tbs_rem_with_len
    196                         // Extract the (possibly encoded) length of tbsCertificate.
    197                         .split_first()
    198                         .and_then(|(tbs_enc_len, tbs_rem)| {
    199                             // We need to extract how many bytes make up tbsCertificate that way
    200                             // we can skip it and get to the (possibly encoded) length of
    201                             // signatureAlgorithm.
    202                             match *tbs_enc_len {
    203                                 // tbsCertificate is encoded in `len` bytes. We need to skip that many
    204                                 // bytes taking into account the constructed sequence byte (i.e., 0x30)
    205                                 // of signatureAlgorithm.
    206                                 //
    207                                 // This won't overflow since `len` is at most 127; thus this maxes at 128
    208                                 // which is <= `usize::MAX`.
    209                                 len @ ..=127 => Some(usize::from(len) + 1),
    210                                 // The number of bytes tbsCertificate is encoded in takes 1 byte to encode
    211                                 // We get that one byte since that is how many bytes we need to skip taking
    212                                 // into account the byte and the constructed sequence byte (i.e., 0x30) of
    213                                 // signatureAlgorithm.
    214                                 //
    215                                 // This won't overflow since this maxes at 255 + 2 = 257 <= usize::MAX.
    216                                 129 => tbs_rem.first().map(|len| usize::from(*len) + 2),
    217                                 // The number of bytes tbsCertificate is encoded in takes 2 bytes to encode.
    218                                 // We get the two bytes since that is how many bytes we need to skip.
    219                                 130 => tbs_rem.get(..2).and_then(|enc_len| {
    220                                     let mut big_endian_len = [0; 2];
    221                                     // This won't `panic` since `enc_len.len() == 2`.
    222                                     big_endian_len.copy_from_slice(enc_len);
    223                                     // Multi-byte lengths are encoded in big-endian.
    224                                     u16::from_be_bytes(big_endian_len)
    225                                         // We need to account for the two bytes and the constructed sequence byte
    226                                         // (i.e., 0x30) of signatureAlgorithm.
    227                                         .checked_add(3)
    228                                         // We don't support payloads larger than 65,535 since that is more than
    229                                         // enough for a single certificate.
    230                                         .map(usize::from)
    231                                 }),
    232                                 // We arbitrarily cap the size of payloads we accept to simplify decoding.
    233                                 // If this is more than 130, then the payload is at least 16,777,216 bytes
    234                                 // which is obscenely large for a single certificate. 128 is invalid.
    235                                 _ => None,
    236                             }
    237                             .and_then(|tbs_len| {
    238                                 tbs_rem.get(tbs_len..).and_then(|alg_rem_with_len| {
    239                                     // Remaining payload starting from the (possibly encoded) length of
    240                                     // signatureAlgorithm.
    241                                     alg_rem_with_len
    242                                         // Extract the (possibly encoded) length of signatureAlgorithm.
    243                                         .split_first()
    244                                         .and_then(|(alg_enc_len, alg_rem)| {
    245                                             // We need to extract how many bytes make up signatureAlgorithm that way
    246                                             // we can skip it and get to the (possibly encoded) length of algorithm.
    247                                             match *alg_enc_len {
    248                                                 // The length of the payload is represented with this byte; thus we
    249                                                 // only need to skip the object identifier byte (i.e., 0x06) of
    250                                                 // algorithm.
    251                                                 ..=127 => Some(1),
    252                                                 // The length of the payload is invalid.
    253                                                 128 | 255 => None,
    254                                                 // The remaining bits represents the number of bytes that it takes to
    255                                                 // encode the length; thus we subtract 128 and add 1 to account for
    256                                                 // the object identifier byte (i.e., 0x06) of algorithm.
    257                                                 // This is the same as just subtracting 127.
    258                                                 //
    259                                                 // Underflow clearly cannot occur since `len` is at least 129.
    260                                                 len @ 129.. => Some(usize::from(len) - 127),
    261                                             }
    262                                             .and_then(
    263                                                 |alg_skip| {
    264                                                     alg_rem.get(alg_skip..).and_then(|oid_rem| {
    265                                                         // Remaining payload starting from the (possibly encoded)
    266                                                         // length of algorithm, and we extract the
    267                                                         // (possibly encoded) length of algorithm.
    268                                                         oid_rem.split_first().and_then(
    269                                                             |(oid_enc_len, rem)| {
    270                                                                 // Extract the algorithm.
    271                                                                 // Recall we don't care if the certificate is
    272                                                                 // invalid, and we only support algorithms of
    273                                                                 // length at most 127. As a result, we treat
    274                                                                 // `oid_enc_len` as is.
    275                                                                 rem.get(..usize::from(*oid_enc_len))
    276                                                                     .and_then(|oid| match oid {
    277                                                                         ED25519 | ECDSA_SHA256
    278                                                                         | RSA_SHA256 | DSA_SHA256
    279                                                                         // [RFC 5929 § 4.1](https://www.rfc-editor.org/rfc/rfc5929#section-4.1)
    280                                                                         // mandates that SHA-1 based signatures
    281                                                                         // use SHA-256.
    282                                                                         | DSA_SHA1 | RSA_SHA1 => {
    283                                                                             Some(Self::Sha256(
    284                                                                                 Sha256::digest(
    285                                                                                     cert,
    286                                                                                 ),
    287                                                                             ))
    288                                                                         }
    289                                                                         ECDSA_SHA384
    290                                                                         | RSA_SHA384 => {
    291                                                                             Some(Self::Sha384(
    292                                                                                 Sha384::digest(
    293                                                                                     cert,
    294                                                                                 ),
    295                                                                             ))
    296                                                                         }
    297                                                                         ECDSA_SHA512
    298                                                                         | RSA_SHA512 => {
    299                                                                             Some(Self::Sha512(
    300                                                                                 Sha512::digest(
    301                                                                                     cert,
    302                                                                                 ),
    303                                                                             ))
    304                                                                         }
    305                                                                         ECDSA_SHA224
    306                                                                         | RSA_SHA224
    307                                                                         | DSA_SHA224 => {
    308                                                                             Some(Self::Sha224(
    309                                                                                 Sha224::digest(
    310                                                                                     cert,
    311                                                                                 ),
    312                                                                             ))
    313                                                                         }
    314                                                                         _ => None,
    315                                                                     })
    316                                                             },
    317                                                         )
    318                                                     })
    319                                                 },
    320                                             )
    321                                         })
    322                                 })
    323                             })
    324                         })
    325                 })
    326             })
    327         })
    328     }
    329 }
    330 /// The [`TlsConnector::Stream`] returned from [`TlsConnectorFuture::poll`].
    331 #[derive(Debug)]
    332 pub struct TlsStream<S>(RustlsStream<S>);
    333 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncRead for TlsStream<S> {
    334     #[inline]
    335     fn poll_read(
    336         mut self: Pin<&mut Self>,
    337         cx: &mut Context<'_>,
    338         buf: &mut ReadBuf<'_>,
    339     ) -> Poll<io::Result<()>> {
    340         Pin::new(&mut self.0).poll_read(cx, buf)
    341     }
    342 }
    343 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncWrite for TlsStream<S> {
    344     #[inline]
    345     fn poll_write(
    346         mut self: Pin<&mut Self>,
    347         cx: &mut Context<'_>,
    348         buf: &[u8],
    349     ) -> Poll<Result<usize, io::Error>> {
    350         Pin::new(&mut self.0).poll_write(cx, buf)
    351     }
    352     #[inline]
    353     fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), io::Error>> {
    354         Pin::new(&mut self.0).poll_flush(cx)
    355     }
    356     #[inline]
    357     fn poll_shutdown(
    358         mut self: Pin<&mut Self>,
    359         cx: &mut Context<'_>,
    360     ) -> Poll<Result<(), io::Error>> {
    361         Pin::new(&mut self.0).poll_shutdown(cx)
    362     }
    363     #[inline]
    364     fn poll_write_vectored(
    365         mut self: Pin<&mut Self>,
    366         cx: &mut Context<'_>,
    367         bufs: &[IoSlice<'_>],
    368     ) -> Poll<Result<usize, io::Error>> {
    369         Pin::new(&mut self.0).poll_write_vectored(cx, bufs)
    370     }
    371     #[inline]
    372     fn is_write_vectored(&self) -> bool {
    373         self.0.is_write_vectored()
    374     }
    375 }
    376 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsStream for TlsStream<S> {
    377     /// Returns the [`ChannelBinding`] based on the X.509 v3 certificate sent from the PostgreSQL server.
    378     ///
    379     /// Note when this returns [`ChannelBinding::tls_server_end_point`], it _does not_ mean the certificate
    380     /// is valid. In certain circumstances, this will return that even for an invalid certificate. This should
    381     /// not matter since the certificate being invalid will cause the certificate to be rejected anyway. When
    382     /// the certificate is valid and uses a supported signature algorithm, then this will always return the
    383     /// correct value.
    384     ///
    385     /// The only supported signature algorithms are the following:
    386     ///
    387     /// * id-Ed25519
    388     /// * ecdsa-with-SHA256
    389     /// * sha256WithRSAEncryption
    390     /// * ecdsa-with-SHA384
    391     /// * sha384WithRSAEncryption
    392     /// * ecdsa-with-SHA512
    393     /// * sha512WithRSAEncryption
    394     /// * ecdsa-with-SHA224
    395     /// * sha224WithRSAEncryption
    396     /// * dsa-with-SHA256
    397     /// * dsa-with-SHA224
    398     /// * dsa-with-SHA1
    399     /// * sha1WithRSAEncryption
    400     ///
    401     /// Note it is strongly recommended that TLS 1.3 be used; thus while signature algorithms that are not
    402     /// part of TLS 1.3 are supported, you should avoid them.
    403     /// See [RFC 9266 § 4.2](https://www.rfc-editor.org/rfc/rfc9266#section-4.2).
    404     /// Additionally some of the supported signature algorithms may not be supported by PostgreSQL
    405     /// (e.g., id-Ed25519).
    406     #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    407     #[inline]
    408     fn channel_binding(&self) -> ChannelBinding {
    409         self.0
    410             .get_ref()
    411             .1
    412             .peer_certificates()
    413             .and_then(|certs| {
    414                 certs.first().and_then(|fst| {
    415                     Hash::from_der_cert(fst)
    416                         .map(|hash| ChannelBinding::tls_server_end_point(hash.into()))
    417                 })
    418             })
    419             .unwrap_or_else(ChannelBinding::none)
    420     }
    421 }
    422 /// [`TlsConnector::Future`] returned from [`TlsConnector::connect`].
    423 #[expect(
    424     missing_debug_implementations,
    425     reason = "Connect does not implement Debug, so we don't"
    426 )]
    427 pub struct TlsConnectorFuture<S>(Connect<S>);
    428 impl<S: AsyncRead + AsyncWrite + Unpin> Future for TlsConnectorFuture<S> {
    429     type Output = io::Result<TlsStream<S>>;
    430     #[inline]
    431     fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
    432         Pin::new(&mut self.0).poll(cx).map_ok(TlsStream)
    433     }
    434 }
    435 /// Connects to the PostgreSQL server.
    436 #[expect(
    437     missing_debug_implementations,
    438     reason = "TlsConnector does not implement Debug, so we don't"
    439 )]
    440 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    441 pub struct TlsConnector<'domain> {
    442     /// Used to connect to the PostgreSQL server.
    443     #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    444     connector: tokio_rustls::TlsConnector,
    445     /// The domain or IP of the PostgreSQL server.
    446     #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    447     dom: ServerName<'domain>,
    448 }
    449 impl<'domain> TlsConnector<'domain> {
    450     /// Returns `Self` based on `connector` and `domain`.
    451     ///
    452     /// # Errors
    453     ///
    454     /// Errors iff [`ServerName::try_from`] does when passed `domain`.
    455     #[expect(single_use_lifetimes, reason = "false positive")]
    456     #[inline]
    457     pub fn new<'dom: 'domain>(
    458         connector: tokio_rustls::TlsConnector,
    459         domain: &'dom str,
    460     ) -> Result<Self, InvalidDnsNameError> {
    461         ServerName::try_from(domain).map(|dom| Self { connector, dom })
    462     }
    463 }
    464 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsConnect<S> for TlsConnector<'static> {
    465     type Stream = TlsStream<S>;
    466     type Error = io::Error;
    467     type Future = TlsConnectorFuture<S>;
    468     #[inline]
    469     fn connect(self, stream: S) -> Self::Future {
    470         TlsConnectorFuture(self.connector.connect(self.dom, stream))
    471     }
    472 }
    473 /// [`MakeTlsConnect`] based on [`tokio_rustls::TlsConnector`].
    474 #[expect(
    475     missing_debug_implementations,
    476     reason = "TlsConnector does not implement Debug, so we don't"
    477 )]
    478 #[cfg_attr(docsrs, doc(cfg(feature = "runtime")))]
    479 #[cfg(feature = "runtime")]
    480 #[derive(Clone)]
    481 pub struct MakeTlsConnector(tokio_rustls::TlsConnector);
    482 #[cfg(feature = "runtime")]
    483 impl MakeTlsConnector {
    484     /// Constructs `Self` based on `connector`.
    485     #[inline]
    486     #[must_use]
    487     pub const fn new(connector: tokio_rustls::TlsConnector) -> Self {
    488         Self(connector)
    489     }
    490 }
    491 #[cfg(feature = "runtime")]
    492 impl<S: AsyncRead + AsyncWrite + Unpin> MakeTlsConnect<S> for MakeTlsConnector {
    493     type Stream = TlsStream<S>;
    494     type TlsConnect = TlsConnector<'static>;
    495     type Error = InvalidDnsNameError;
    496     #[inline]
    497     fn make_tls_connect(&mut self, domain: &str) -> Result<Self::TlsConnect, Self::Error> {
    498         ServerName::try_from(domain).map(|dom| TlsConnector {
    499             connector: self.0.clone(),
    500             dom: dom.to_owned(),
    501         })
    502     }
    503 }
    504 /// Removes any ALPN values and adds the `b"postgresql"` ALPN.
    505 #[inline]
    506 pub fn set_postgresql_alpn(config: &mut ClientConfig) {
    507     config.alpn_protocols.clear();
    508     config.alpn_protocols.push(vec![
    509         b'p', b'o', b's', b't', b'g', b'r', b'e', b's', b'q', b'l',
    510     ]);
    511 }
    512 #[cfg(test)]
    513 mod tests {
    514     #[cfg(feature = "runtime")]
    515     extern crate alloc;
    516     use super::Hash;
    517     #[cfg(feature = "runtime")]
    518     use super::MakeTlsConnector;
    519     #[cfg(feature = "runtime")]
    520     use alloc::sync::Arc;
    521     #[cfg(feature = "runtime")]
    522     use core::{
    523         net::{IpAddr, Ipv6Addr},
    524         time::Duration,
    525     };
    526     use sha2::{Digest as _, Sha224, Sha256, Sha384, Sha512};
    527     #[cfg(feature = "runtime")]
    528     use std::{fs, io::Error};
    529     #[cfg(feature = "runtime")]
    530     use tokio::runtime::Builder;
    531     #[cfg(feature = "runtime")]
    532     use tokio_postgres::{
    533         Config,
    534         config::{ChannelBinding, LoadBalanceHosts, SslMode, TargetSessionAttrs},
    535     };
    536     #[cfg(feature = "runtime")]
    537     use tokio_rustls::rustls::{
    538         self, ClientConfig, RootCertStore,
    539         pki_types::{
    540             CertificateDer, PrivateKeyDer,
    541             pem::{Error as PemErr, PemObject as _},
    542         },
    543         version::TLS13,
    544     };
    545     #[test]
    546     fn test_parse_ed25519() {
    547         /// Certificate that uses Ed25519.
    548         const CERT: &[u8] = [
    549             48, 130, 1, 125, 48, 130, 1, 47, 160, 3, 2, 1, 2, 2, 1, 29, 48, 5, 6, 3, 43, 101, 112,
    550             48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 3, 85, 4, 10,
    551             12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 82, 111,
    552             111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 56, 48, 53, 90, 23, 13,
    553             50, 53, 48, 51, 49, 54, 48, 48, 52, 56, 48, 53, 90, 48, 43, 49, 11, 48, 9, 6, 3, 85, 4,
    554             6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 116, 49, 13,
    555             48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 42, 48, 5, 6, 3, 43, 101, 112, 3,
    556             33, 0, 142, 168, 95, 146, 122, 142, 177, 52, 239, 161, 27, 41, 80, 58, 167, 248, 211,
    557             181, 154, 201, 26, 195, 207, 27, 132, 228, 110, 149, 95, 212, 44, 202, 163, 117, 48,
    558             115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 238, 12, 127, 172, 94, 237, 69, 62, 240,
    559             99, 1, 2, 35, 161, 201, 129, 19, 85, 0, 227, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2,
    560             48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1,
    561             255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48,
    562             22, 128, 20, 199, 177, 144, 22, 54, 182, 183, 202, 234, 246, 98, 108, 85, 32, 30, 132,
    563             146, 221, 218, 80, 48, 5, 6, 3, 43, 101, 112, 3, 65, 0, 133, 253, 192, 202, 50, 167,
    564             57, 5, 246, 17, 58, 232, 188, 41, 147, 232, 35, 206, 147, 181, 0, 139, 95, 3, 24, 139,
    565             17, 102, 113, 186, 146, 163, 97, 157, 255, 50, 193, 230, 159, 170, 218, 35, 56, 99, 89,
    566             251, 173, 97, 106, 15, 52, 71, 209, 69, 109, 216, 140, 235, 37, 23, 185, 173, 215, 0,
    567         ]
    568         .as_slice();
    569         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    570             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
    571             _ => false,
    572         }),);
    573     }
    574     #[test]
    575     fn test_parse_ecdsa_sha256() {
    576         /// Certificate that uses ECDSA with SHA-256.
    577         const CERT: &[u8] = [
    578             48, 130, 1, 189, 48, 130, 1, 99, 160, 3, 2, 1, 2, 2, 1, 27, 48, 10, 6, 8, 42, 134, 72,
    579             206, 61, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
    580             6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
    581             12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 49, 51,
    582             48, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 49, 51, 48, 90, 48, 43, 49, 11, 48,
    583             9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
    584             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 89, 48, 19, 6, 7,
    585             42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66, 0, 4, 195, 27,
    586             22, 133, 220, 98, 146, 255, 201, 209, 114, 117, 93, 119, 207, 46, 228, 132, 210, 187,
    587             134, 197, 201, 194, 147, 51, 111, 17, 187, 179, 129, 180, 129, 62, 164, 27, 199, 95,
    588             59, 16, 167, 134, 233, 53, 127, 194, 187, 144, 193, 106, 100, 37, 104, 219, 164, 155,
    589             58, 210, 106, 12, 192, 247, 72, 183, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4,
    590             22, 4, 20, 84, 214, 179, 28, 250, 191, 223, 88, 72, 221, 229, 63, 123, 177, 146, 167,
    591             224, 18, 24, 0, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29,
    592             15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43,
    593             6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 43, 80, 133,
    594             205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 100, 138, 233, 225, 48, 10,
    595             6, 8, 42, 134, 72, 206, 61, 4, 3, 2, 3, 72, 0, 48, 69, 2, 32, 107, 43, 12, 27, 111,
    596             216, 19, 191, 199, 1, 202, 22, 147, 43, 16, 188, 36, 156, 141, 80, 115, 124, 160, 211,
    597             19, 123, 41, 216, 94, 19, 236, 0, 2, 33, 0, 164, 138, 200, 40, 159, 245, 38, 70, 207,
    598             160, 121, 19, 56, 240, 18, 222, 191, 196, 217, 129, 24, 92, 238, 43, 39, 29, 57, 85,
    599             56, 11, 178, 88,
    600         ]
    601         .as_slice();
    602         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    603             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
    604             _ => false,
    605         }),);
    606     }
    607     #[test]
    608     fn test_parse_ecdsa_sha384() {
    609         /// Certificate that uses ECDSA with SHA-384.
    610         const CERT: &[u8] = [
    611             48, 130, 1, 218, 48, 130, 1, 128, 160, 3, 2, 1, 2, 2, 1, 25, 48, 10, 6, 8, 42, 134, 72,
    612             206, 61, 4, 3, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
    613             6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
    614             12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 57, 51,
    615             55, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 57, 51, 55, 90, 48, 43, 49, 11, 48,
    616             9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
    617             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 118, 48, 16, 6, 7,
    618             42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 246, 106, 156, 228,
    619             83, 166, 254, 62, 196, 22, 127, 171, 204, 182, 154, 182, 253, 35, 95, 120, 253, 231,
    620             78, 20, 146, 203, 186, 201, 147, 48, 197, 96, 195, 202, 5, 235, 201, 168, 28, 117, 62,
    621             47, 121, 211, 58, 67, 32, 96, 129, 15, 215, 172, 135, 222, 180, 101, 196, 18, 41, 107,
    622             6, 161, 172, 183, 217, 106, 227, 24, 140, 13, 145, 245, 137, 185, 4, 78, 210, 56, 235,
    623             159, 203, 241, 203, 239, 39, 90, 98, 227, 215, 221, 119, 65, 47, 68, 2, 200, 163, 117,
    624             48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 88, 91, 22, 70, 200, 54, 182, 100,
    625             191, 186, 73, 152, 174, 87, 56, 64, 26, 173, 27, 43, 48, 12, 6, 3, 85, 29, 19, 1, 1,
    626             255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29,
    627             37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35,
    628             4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123,
    629             149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 72, 0,
    630             48, 69, 2, 33, 0, 210, 47, 45, 107, 132, 43, 161, 65, 132, 15, 148, 184, 203, 125, 234,
    631             232, 111, 216, 238, 113, 187, 201, 114, 177, 218, 234, 201, 126, 204, 118, 80, 225, 2,
    632             32, 67, 111, 72, 96, 182, 167, 191, 130, 118, 105, 253, 133, 58, 38, 65, 112, 234, 3,
    633             23, 77, 182, 0, 195, 80, 181, 65, 76, 243, 4, 145, 200, 255,
    634         ]
    635         .as_slice();
    636         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    637             Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT),
    638             _ => false,
    639         }),);
    640     }
    641     #[test]
    642     fn test_parse_ecdsa_sha512() {
    643         /// Certificate that uses ECDSA with SHA-512.
    644         const CERT: &[u8] = [
    645             48, 130, 2, 1, 48, 130, 1, 166, 160, 3, 2, 1, 2, 2, 1, 24, 48, 10, 6, 8, 42, 134, 72,
    646             206, 61, 4, 3, 4, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
    647             6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
    648             12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 56, 51,
    649             54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 56, 51, 54, 90, 48, 43, 49, 11, 48,
    650             9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
    651             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 129, 155, 48, 16, 6,
    652             7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 35, 3, 129, 134, 0, 4, 1, 86, 143,
    653             210, 217, 20, 143, 103, 172, 34, 97, 62, 173, 15, 43, 199, 93, 220, 81, 75, 137, 219,
    654             111, 217, 127, 6, 8, 115, 160, 121, 146, 138, 64, 110, 14, 193, 98, 164, 226, 208, 89,
    655             120, 108, 30, 107, 77, 194, 63, 41, 112, 173, 112, 44, 85, 54, 155, 168, 189, 235, 129,
    656             214, 104, 152, 198, 252, 62, 1, 87, 193, 205, 162, 152, 15, 26, 111, 231, 183, 106,
    657             145, 29, 251, 188, 148, 239, 192, 53, 186, 34, 13, 104, 231, 85, 127, 17, 67, 54, 116,
    658             232, 85, 23, 143, 68, 171, 30, 25, 155, 201, 171, 106, 89, 20, 234, 12, 192, 68, 102,
    659             166, 50, 246, 130, 117, 62, 222, 142, 98, 62, 43, 9, 109, 74, 138, 180, 163, 117, 48,
    660             115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 148, 160, 104, 250, 171, 155, 48, 171, 13,
    661             164, 221, 144, 240, 194, 250, 9, 183, 72, 158, 141, 48, 12, 6, 3, 85, 29, 19, 1, 1,
    662             255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29,
    663             37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35,
    664             4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123,
    665             149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 4, 3, 73, 0,
    666             48, 70, 2, 33, 0, 179, 24, 50, 50, 127, 141, 167, 197, 29, 35, 234, 81, 215, 112, 233,
    667             218, 84, 151, 136, 117, 40, 106, 164, 156, 205, 75, 6, 133, 64, 52, 161, 116, 2, 33, 0,
    668             141, 178, 46, 201, 22, 126, 42, 84, 96, 191, 175, 219, 140, 72, 252, 6, 152, 112, 113,
    669             232, 38, 101, 11, 215, 20, 143, 22, 199, 38, 237, 179, 108,
    670         ]
    671         .as_slice();
    672         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    673             Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT),
    674             _ => false,
    675         }),);
    676     }
    677     #[test]
    678     fn test_parse_ecdsa_sha224() {
    679         /// Certificate that uses ECDSA with SHA-224.
    680         const CERT: &[u8] = [
    681             48, 130, 1, 178, 48, 130, 1, 88, 160, 3, 2, 1, 2, 2, 1, 28, 48, 10, 6, 8, 42, 134, 72,
    682             206, 61, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
    683             6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
    684             12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 50, 49,
    685             52, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 50, 49, 52, 90, 48, 43, 49, 11, 48,
    686             9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
    687             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 78, 48, 16, 6, 7,
    688             42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 33, 3, 58, 0, 4, 235, 241, 149, 78,
    689             60, 248, 123, 132, 195, 228, 188, 151, 240, 28, 76, 198, 207, 121, 165, 126, 245, 158,
    690             214, 232, 69, 198, 114, 117, 86, 137, 15, 86, 40, 171, 27, 36, 8, 43, 190, 138, 193,
    691             136, 118, 43, 29, 119, 182, 21, 14, 123, 110, 81, 81, 72, 44, 195, 163, 117, 48, 115,
    692             48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 203, 141, 20, 54, 48, 176, 180, 57, 46, 1, 91,
    693             221, 116, 154, 205, 81, 187, 184, 24, 211, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2,
    694             48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1,
    695             255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48,
    696             22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250,
    697             100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 1, 3, 72, 0, 48, 69, 2,
    698             32, 64, 186, 179, 226, 82, 176, 87, 158, 166, 22, 31, 27, 19, 190, 112, 167, 241, 159,
    699             33, 198, 60, 70, 68, 120, 19, 63, 33, 244, 236, 240, 216, 181, 2, 33, 0, 252, 183, 115,
    700             52, 189, 151, 44, 178, 62, 209, 159, 31, 154, 152, 69, 189, 121, 148, 57, 231, 27, 22,
    701             165, 212, 65, 202, 124, 15, 53, 150, 93, 183,
    702         ]
    703         .as_slice();
    704         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    705             Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT),
    706             _ => false,
    707         }),);
    708     }
    709     #[test]
    710     fn test_parse_rsa_sha256() {
    711         /// Certificate that uses RSA with SHA-256.
    712         const CERT: &[u8] = [
    713             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 31, 48, 13, 6, 9, 42, 134, 72,
    714             134, 247, 13, 1, 1, 11, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    715             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    716             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
    717             48, 51, 48, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 51, 48, 53, 90, 48, 43,
    718             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    719             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    720             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    721             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    722             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    723             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    724             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    725             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    726             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    727             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    728             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    729             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    730             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    731             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    732             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    733             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    734             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    735             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    736             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    737             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    738             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    739             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    740             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    741             11, 5, 0, 3, 130, 1, 1, 0, 28, 109, 109, 197, 99, 197, 36, 180, 154, 215, 173, 215, 24,
    742             94, 47, 218, 147, 163, 179, 123, 248, 3, 144, 109, 173, 207, 49, 113, 249, 188, 31,
    743             178, 16, 88, 88, 56, 11, 86, 127, 193, 23, 165, 65, 190, 84, 170, 156, 190, 52, 87,
    744             119, 213, 106, 184, 11, 204, 151, 148, 205, 100, 233, 46, 170, 45, 161, 100, 58, 46,
    745             105, 25, 150, 78, 146, 41, 100, 125, 203, 214, 238, 104, 251, 25, 183, 66, 102, 241,
    746             110, 56, 55, 205, 122, 234, 205, 90, 91, 247, 143, 129, 217, 6, 190, 120, 18, 190, 11,
    747             121, 207, 142, 170, 57, 236, 243, 113, 53, 167, 188, 26, 134, 175, 107, 195, 48, 119,
    748             78, 117, 157, 104, 247, 65, 122, 153, 234, 166, 88, 142, 228, 25, 120, 243, 51, 111, 8,
    749             43, 199, 255, 162, 186, 18, 64, 54, 96, 44, 138, 144, 237, 89, 176, 189, 245, 194, 96,
    750             232, 196, 0, 50, 51, 98, 32, 163, 177, 130, 113, 41, 116, 33, 40, 190, 111, 79, 108,
    751             107, 159, 65, 87, 222, 173, 170, 39, 29, 97, 240, 107, 130, 101, 247, 123, 85, 123,
    752             247, 221, 89, 159, 114, 157, 35, 153, 22, 127, 149, 224, 158, 236, 4, 137, 193, 135,
    753             136, 97, 222, 83, 232, 205, 148, 127, 139, 78, 220, 10, 183, 139, 205, 190, 181, 36,
    754             61, 155, 88, 163, 50, 120, 153, 41, 182, 75, 219, 95, 25, 40, 229, 106, 87, 215, 77,
    755             50, 219, 97,
    756         ]
    757         .as_slice();
    758         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    759             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
    760             _ => false,
    761         }),);
    762     }
    763     #[test]
    764     fn test_parse_rsa_sha384() {
    765         /// Certificate that uses RSA with SHA-384.
    766         const CERT: &[u8] = [
    767             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 32, 48, 13, 6, 9, 42, 134, 72,
    768             134, 247, 13, 1, 1, 12, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    769             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    770             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
    771             48, 53, 52, 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 53, 52, 54, 90, 48, 43,
    772             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    773             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    774             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    775             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    776             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    777             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    778             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    779             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    780             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    781             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    782             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    783             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    784             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    785             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    786             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    787             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    788             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    789             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    790             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    791             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    792             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    793             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    794             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    795             12, 5, 0, 3, 130, 1, 1, 0, 135, 249, 101, 184, 225, 162, 164, 193, 23, 81, 98, 221,
    796             134, 87, 34, 94, 229, 131, 221, 17, 38, 61, 156, 200, 113, 94, 244, 188, 226, 84, 74,
    797             96, 205, 237, 230, 242, 168, 238, 178, 133, 68, 188, 80, 244, 60, 42, 169, 54, 66, 79,
    798             104, 66, 251, 27, 240, 108, 16, 46, 175, 62, 240, 194, 7, 181, 238, 211, 118, 149, 150,
    799             46, 97, 39, 28, 173, 225, 49, 73, 206, 147, 101, 12, 192, 218, 119, 208, 73, 20, 208,
    800             229, 216, 133, 213, 28, 165, 70, 20, 158, 114, 223, 40, 121, 13, 236, 218, 165, 237,
    801             164, 196, 94, 80, 120, 49, 212, 241, 213, 197, 201, 104, 67, 223, 130, 148, 197, 251,
    802             199, 167, 6, 89, 146, 139, 141, 32, 78, 72, 190, 146, 94, 251, 208, 47, 118, 173, 111,
    803             92, 241, 102, 26, 233, 145, 46, 220, 230, 5, 147, 220, 92, 240, 133, 24, 192, 71, 49,
    804             252, 84, 163, 132, 34, 139, 12, 106, 4, 189, 151, 37, 34, 123, 26, 42, 84, 46, 232, 14,
    805             129, 101, 84, 26, 25, 219, 11, 115, 214, 106, 12, 75, 199, 248, 218, 239, 209, 32, 159,
    806             40, 192, 11, 2, 175, 51, 232, 20, 8, 72, 188, 184, 177, 22, 251, 238, 42, 74, 21, 25,
    807             93, 77, 184, 5, 207, 101, 98, 60, 214, 173, 169, 56, 54, 211, 167, 55, 34, 14, 184, 25,
    808             4, 170, 108, 94, 110, 27, 45, 11, 22, 61, 130, 63, 214, 168, 72,
    809         ]
    810         .as_slice();
    811         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    812             Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT),
    813             _ => false,
    814         }),);
    815     }
    816     #[test]
    817     fn test_parse_rsa_sha512() {
    818         /// Certificate that uses RSA with SHA-512.
    819         const CERT: &[u8] = [
    820             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 33, 48, 13, 6, 9, 42, 134, 72,
    821             134, 247, 13, 1, 1, 13, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    822             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    823             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
    824             48, 54, 52, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 54, 52, 53, 90, 48, 43,
    825             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    826             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    827             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    828             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    829             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    830             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    831             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    832             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    833             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    834             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    835             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    836             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    837             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    838             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    839             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    840             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    841             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    842             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    843             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    844             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    845             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    846             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    847             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    848             13, 5, 0, 3, 130, 1, 1, 0, 106, 7, 136, 82, 232, 55, 0, 98, 9, 211, 201, 57, 239, 67,
    849             167, 139, 225, 164, 231, 255, 10, 52, 47, 234, 254, 75, 239, 241, 39, 6, 226, 209, 210,
    850             169, 200, 32, 255, 83, 159, 23, 146, 9, 109, 173, 236, 216, 253, 199, 229, 23, 227, 33,
    851             56, 98, 109, 59, 2, 167, 29, 118, 251, 82, 193, 39, 244, 191, 166, 194, 160, 105, 197,
    852             190, 213, 141, 193, 50, 45, 245, 163, 229, 116, 221, 29, 194, 91, 198, 187, 21, 224,
    853             95, 17, 203, 148, 160, 4, 15, 54, 249, 69, 12, 18, 25, 58, 190, 205, 44, 157, 184, 1,
    854             25, 64, 219, 237, 196, 33, 101, 255, 146, 232, 112, 247, 214, 174, 252, 152, 146, 142,
    855             231, 81, 35, 240, 216, 98, 136, 65, 179, 237, 207, 229, 198, 72, 175, 244, 31, 126,
    856             106, 107, 100, 200, 81, 227, 41, 61, 26, 122, 226, 121, 219, 131, 212, 206, 238, 14,
    857             210, 70, 60, 107, 115, 214, 67, 180, 133, 157, 114, 138, 63, 249, 71, 235, 41, 246, 14,
    858             14, 4, 254, 208, 215, 111, 196, 248, 117, 61, 44, 67, 185, 11, 132, 10, 188, 220, 110,
    859             78, 61, 171, 88, 172, 161, 1, 223, 52, 75, 101, 55, 249, 125, 178, 141, 127, 0, 246,
    860             176, 34, 120, 93, 214, 37, 210, 148, 217, 149, 255, 63, 32, 58, 8, 71, 179, 62, 119,
    861             14, 47, 191, 207, 137, 22, 255, 21, 71, 46, 42, 176, 31, 206, 146, 248, 105,
    862         ]
    863         .as_slice();
    864         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    865             Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT),
    866             _ => false,
    867         }),);
    868     }
    869     #[test]
    870     fn test_parse_rsa_sha224() {
    871         /// Certificate that uses RSA with SHA-224.
    872         const CERT: &[u8] = [
    873             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 30, 48, 13, 6, 9, 42, 134, 72,
    874             134, 247, 13, 1, 1, 14, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    875             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    876             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48,
    877             53, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 53, 57, 50, 56, 90, 48, 43,
    878             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    879             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    880             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    881             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    882             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    883             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    884             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    885             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    886             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    887             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    888             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    889             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    890             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    891             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    892             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    893             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    894             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    895             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    896             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    897             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    898             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    899             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    900             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    901             14, 5, 0, 3, 130, 1, 1, 0, 122, 121, 0, 201, 250, 195, 66, 213, 60, 117, 213, 188, 93,
    902             193, 88, 130, 241, 219, 111, 238, 109, 38, 220, 131, 164, 12, 135, 169, 58, 140, 214,
    903             211, 93, 51, 204, 242, 10, 119, 123, 23, 69, 67, 135, 151, 245, 23, 144, 61, 233, 229,
    904             122, 189, 111, 89, 190, 100, 251, 86, 185, 246, 40, 121, 190, 192, 199, 119, 232, 209,
    905             202, 23, 20, 46, 48, 235, 175, 240, 225, 106, 6, 24, 239, 172, 51, 196, 63, 189, 210,
    906             167, 244, 87, 245, 193, 130, 33, 171, 165, 117, 180, 25, 250, 21, 6, 208, 124, 254, 64,
    907             180, 50, 124, 234, 179, 121, 183, 0, 71, 118, 28, 115, 86, 117, 60, 96, 164, 33, 54, 1,
    908             86, 234, 132, 146, 156, 221, 52, 28, 39, 237, 128, 75, 157, 169, 203, 26, 48, 74, 4,
    909             129, 162, 139, 235, 16, 74, 236, 151, 0, 150, 234, 246, 204, 180, 240, 31, 92, 129, 51,
    910             221, 118, 10, 192, 140, 32, 33, 21, 223, 113, 35, 86, 47, 236, 159, 252, 52, 185, 41,
    911             151, 56, 126, 251, 165, 126, 214, 27, 213, 169, 211, 174, 26, 55, 21, 11, 187, 189, 96,
    912             67, 141, 124, 178, 51, 37, 80, 17, 220, 210, 193, 243, 127, 46, 82, 75, 172, 187, 156,
    913             222, 186, 3, 13, 194, 104, 234, 131, 96, 99, 34, 1, 61, 149, 219, 33, 227, 34, 215,
    914             211, 82, 106, 57, 61, 185, 178, 1, 191, 14, 196, 52, 5, 38, 27, 232,
    915         ]
    916         .as_slice();
    917         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    918             Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT),
    919             _ => false,
    920         }),);
    921     }
    922     #[test]
    923     fn test_parse_rsa_sha1() {
    924         /// Certificate that uses RSA with SHA-1.
    925         const CERT: &[u8] = [
    926             48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 34, 48, 13, 6, 9, 42, 134, 72,
    927             134, 247, 13, 1, 1, 5, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
    928             16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
    929             3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
    930             48, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 57, 50, 56, 90, 48, 43,
    931             49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
    932             84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
    933             1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
    934             130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
    935             22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
    936             118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
    937             234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
    938             134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
    939             109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
    940             50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
    941             201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
    942             105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
    943             151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
    944             102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
    945             212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
    946             94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
    947             103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
    948             1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
    949             5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
    950             1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
    951             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
    952             35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
    953             125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
    954             5, 5, 0, 3, 130, 1, 1, 0, 12, 93, 61, 154, 152, 205, 44, 219, 157, 214, 4, 162, 93, 85,
    955             60, 231, 231, 206, 193, 160, 133, 28, 61, 113, 102, 120, 137, 120, 175, 11, 244, 113,
    956             217, 81, 151, 123, 210, 108, 156, 145, 99, 158, 104, 10, 25, 129, 95, 128, 140, 44,
    957             153, 65, 175, 32, 37, 189, 186, 43, 101, 153, 98, 160, 95, 13, 154, 86, 221, 99, 210,
    958             157, 25, 41, 98, 79, 252, 2, 8, 221, 120, 71, 54, 221, 34, 180, 109, 181, 185, 58, 2,
    959             119, 167, 50, 172, 167, 192, 136, 24, 227, 40, 211, 18, 98, 2, 175, 174, 42, 100, 136,
    960             83, 116, 7, 50, 50, 215, 164, 90, 49, 231, 106, 240, 246, 95, 236, 60, 198, 97, 200,
    961             140, 23, 168, 183, 174, 132, 39, 251, 61, 112, 226, 66, 68, 16, 23, 213, 129, 86, 196,
    962             248, 82, 141, 82, 107, 246, 224, 37, 94, 95, 134, 139, 75, 15, 70, 54, 47, 80, 19, 143,
    963             48, 171, 113, 130, 226, 180, 39, 18, 44, 117, 113, 196, 20, 11, 82, 174, 251, 197, 216,
    964             152, 229, 188, 148, 191, 165, 149, 50, 127, 172, 111, 95, 194, 63, 238, 112, 154, 85,
    965             98, 18, 236, 13, 123, 232, 90, 47, 180, 36, 148, 77, 192, 45, 113, 150, 10, 254, 99, 0,
    966             30, 87, 80, 22, 61, 78, 66, 180, 251, 220, 8, 78, 175, 251, 27, 201, 79, 197, 45, 127,
    967             143, 163, 7, 252, 246, 45, 127, 87, 224, 125, 175, 245, 115,
    968         ]
    969         .as_slice();
    970         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
    971             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
    972             _ => false,
    973         }),);
    974     }
    975     #[test]
    976     fn test_parse_dsa_sha256() {
    977         /// Certificate that uses DSA with SHA-256.
    978         const CERT: &[u8] = [
    979             48, 130, 4, 162, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 37, 48, 11, 6, 9, 96, 134, 72,
    980             1, 101, 3, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48,
    981             14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4,
    982             3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 51,
    983             48, 51, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 51, 48, 51, 90, 48, 43, 49, 11,
    984             48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101,
    985             115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48,
    986             130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11,
    987             194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67,
    988             45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189,
    989             125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106,
    990             249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192,
    991             180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8,
    992             75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221,
    993             159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21,
    994             232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186,
    995             56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25,
    996             188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71,
    997             24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175,
    998             25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120,
    999             227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29,
   1000             85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173,
   1001             164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80,
   1002             166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67,
   1003             97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159,
   1004             198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182,
   1005             163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4,
   1006             191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166,
   1007             152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89,
   1008             24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147,
   1009             229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251,
   1010             218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172,
   1011             154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89,
   1012             151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111,
   1013             33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175,
   1014             201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167,
   1015             149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186,
   1016             3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126,
   1017             171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219,
   1018             191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80,
   1019             203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233,
   1020             163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56,
   1021             179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9,
   1022             166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217,
   1023             71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88,
   1024             47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164,
   1025             244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11,
   1026             153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26,
   1027             231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115,
   1028             39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171,
   1029             31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68,
   1030             163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53,
   1031             83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19,
   1032             1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
   1033             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
   1034             35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48,
   1035             16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 2, 3, 64,
   1036             0, 48, 61, 2, 28, 116, 130, 114, 201, 119, 192, 122, 114, 52, 255, 182, 233, 56, 153,
   1037             169, 135, 12, 49, 236, 107, 72, 244, 178, 174, 32, 27, 13, 226, 2, 29, 0, 170, 35, 77,
   1038             179, 10, 59, 85, 118, 124, 99, 48, 21, 125, 235, 57, 27, 60, 222, 102, 120, 20, 16,
   1039             148, 80, 118, 28, 75, 176,
   1040         ]
   1041         .as_slice();
   1042         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
   1043             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
   1044             _ => false,
   1045         }),);
   1046     }
   1047     #[test]
   1048     fn test_parse_dsa_sha224() {
   1049         /// Certificate that uses DSA with SHA-224.
   1050         const CERT: &[u8] = [
   1051             48, 130, 4, 163, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 36, 48, 11, 6, 9, 96, 134, 72,
   1052             1, 101, 3, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48,
   1053             14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4,
   1054             3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 50,
   1055             50, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 50, 50, 53, 90, 48, 43, 49, 11,
   1056             48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101,
   1057             115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48,
   1058             130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11,
   1059             194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67,
   1060             45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189,
   1061             125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106,
   1062             249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192,
   1063             180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8,
   1064             75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221,
   1065             159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21,
   1066             232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186,
   1067             56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25,
   1068             188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71,
   1069             24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175,
   1070             25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120,
   1071             227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29,
   1072             85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173,
   1073             164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80,
   1074             166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67,
   1075             97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159,
   1076             198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182,
   1077             163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4,
   1078             191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166,
   1079             152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89,
   1080             24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147,
   1081             229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251,
   1082             218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172,
   1083             154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89,
   1084             151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111,
   1085             33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175,
   1086             201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167,
   1087             149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186,
   1088             3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126,
   1089             171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219,
   1090             191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80,
   1091             203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233,
   1092             163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56,
   1093             179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9,
   1094             166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217,
   1095             71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88,
   1096             47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164,
   1097             244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11,
   1098             153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26,
   1099             231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115,
   1100             39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171,
   1101             31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68,
   1102             163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53,
   1103             83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19,
   1104             1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
   1105             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
   1106             35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48,
   1107             16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 1, 3, 65,
   1108             0, 48, 62, 2, 29, 0, 178, 65, 35, 200, 113, 88, 88, 146, 71, 230, 14, 148, 101, 161,
   1109             118, 55, 125, 175, 226, 137, 63, 147, 215, 75, 207, 115, 150, 22, 2, 29, 0, 233, 44,
   1110             225, 196, 27, 225, 84, 166, 253, 231, 247, 162, 41, 134, 178, 45, 218, 17, 24, 35, 120,
   1111             100, 231, 84, 218, 88, 80, 255,
   1112         ]
   1113         .as_slice();
   1114         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
   1115             Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT),
   1116             _ => false,
   1117         }),);
   1118     }
   1119     #[test]
   1120     fn test_parse_dsa_sha1() {
   1121         /// Certificate that uses DSA with SHA-1.
   1122         const CERT: &[u8] = [
   1123             48, 130, 4, 157, 48, 130, 4, 77, 160, 3, 2, 1, 2, 2, 1, 35, 48, 9, 6, 7, 42, 134, 72,
   1124             206, 56, 4, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6,
   1125             3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12,
   1126             4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 49, 57, 48, 55,
   1127             90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 49, 57, 48, 55, 90, 48, 43, 49, 11, 48, 9,
   1128             6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
   1129             116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 130,
   1130             2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 194,
   1131             123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 45,
   1132             138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189,
   1133             125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106,
   1134             249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192,
   1135             180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8,
   1136             75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221,
   1137             159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21,
   1138             232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186,
   1139             56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25,
   1140             188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71,
   1141             24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175,
   1142             25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120,
   1143             227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29,
   1144             85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173,
   1145             164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80,
   1146             166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67,
   1147             97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159,
   1148             198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182,
   1149             163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4,
   1150             191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166,
   1151             152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89,
   1152             24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147,
   1153             229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251,
   1154             218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172,
   1155             154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89,
   1156             151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111,
   1157             33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175,
   1158             201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167,
   1159             149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186,
   1160             3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126,
   1161             171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219,
   1162             191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80,
   1163             203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233,
   1164             163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56,
   1165             179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9,
   1166             166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217,
   1167             71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88,
   1168             47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164,
   1169             244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11,
   1170             153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26,
   1171             231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115,
   1172             39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171,
   1173             31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68,
   1174             163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53,
   1175             83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19,
   1176             1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
   1177             29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
   1178             35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48,
   1179             16, 195, 8, 166, 231, 232, 253, 48, 9, 6, 7, 42, 134, 72, 206, 56, 4, 3, 3, 63, 0, 48,
   1180             60, 2, 28, 50, 39, 36, 45, 25, 91, 93, 174, 107, 192, 215, 113, 214, 88, 122, 108, 97,
   1181             82, 121, 182, 191, 182, 66, 173, 207, 255, 17, 86, 2, 28, 28, 133, 69, 48, 198, 204,
   1182             39, 177, 136, 73, 222, 95, 114, 218, 219, 54, 88, 17, 114, 204, 214, 83, 20, 137, 75,
   1183             203, 163, 99,
   1184         ]
   1185         .as_slice();
   1186         assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
   1187             Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
   1188             _ => false,
   1189         }),);
   1190     }
   1191     #[cfg(feature = "runtime")]
   1192     #[derive(Debug)]
   1193     enum E {
   1194         #[expect(dead_code, reason = "does not matter for tests")]
   1195         Io(Error),
   1196         #[expect(dead_code, reason = "does not matter for tests")]
   1197         Rustls(rustls::Error),
   1198         #[expect(dead_code, reason = "does not matter for tests")]
   1199         Postgres(tokio_postgres::Error),
   1200         NoRootCert,
   1201         MultipleRootCerts,
   1202         NoClientKey,
   1203         MultipleClientKeys,
   1204         #[expect(dead_code, reason = "does not matter for tests")]
   1205         RustlsPem(PemErr),
   1206     }
   1207     #[cfg(feature = "runtime")]
   1208     impl From<Error> for E {
   1209         fn from(value: Error) -> Self {
   1210             Self::Io(value)
   1211         }
   1212     }
   1213     #[cfg(feature = "runtime")]
   1214     impl From<rustls::Error> for E {
   1215         fn from(value: rustls::Error) -> Self {
   1216             Self::Rustls(value)
   1217         }
   1218     }
   1219     #[cfg(feature = "runtime")]
   1220     impl From<tokio_postgres::Error> for E {
   1221         fn from(value: tokio_postgres::Error) -> Self {
   1222             Self::Postgres(value)
   1223         }
   1224     }
   1225     #[cfg(feature = "runtime")]
   1226     impl From<PemErr> for E {
   1227         fn from(value: PemErr) -> Self {
   1228             Self::RustlsPem(value)
   1229         }
   1230     }
   1231     #[cfg(feature = "runtime")]
   1232     #[ignore]
   1233     #[test]
   1234     fn test_mutual_tls() -> Result<(), E> {
   1235         let root_cert_file = fs::read("test_data/ca.crt.pem")?;
   1236         let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice());
   1237         let key_file = fs::read("test_data/client.key.pem")?;
   1238         let mut key_iter = PrivateKeyDer::pem_slice_iter(key_file.as_slice());
   1239         let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice())
   1240             .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then(
   1241                 |cert_res| {
   1242                     cert_res.map_err(E::RustlsPem).and_then(|cert| {
   1243                         cert_iter.next().map_or_else(
   1244                             || {
   1245                                 let mut root_store = RootCertStore::empty();
   1246                                 root_store.add(cert).map_err(E::Rustls).map(|()| root_store)
   1247                             },
   1248                             |_| Err(E::MultipleRootCerts),
   1249                         )
   1250                     })
   1251                 },
   1252             )?)
   1253             .with_client_auth_cert(
   1254                 CertificateDer::pem_slice_iter(fs::read("test_data/client.crt.pem")?.as_slice())
   1255                     .try_fold(Vec::with_capacity(1), |mut certs, res| {
   1256                         res.map(|cert| {
   1257                             certs.push(cert);
   1258                             certs
   1259                         })
   1260                     })?,
   1261                 key_iter
   1262                     .next()
   1263                     .ok_or_else(|| E::NoClientKey)
   1264                     .and_then(|key_res| {
   1265                         key_res.map_err(E::RustlsPem).and_then(|key| {
   1266                             key_iter
   1267                                 .next()
   1268                                 .map_or_else(|| Ok(key), |_| Err(E::MultipleClientKeys))
   1269                         })
   1270                     })?,
   1271             )?;
   1272         super::set_postgresql_alpn(&mut conf);
   1273         let mut config = Config::new();
   1274         let connection = config
   1275             .application_name("test")
   1276             .channel_binding(ChannelBinding::Disable)
   1277             .connect_timeout(Duration::from_secs(4))
   1278             .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end())
   1279             .host(fs::read_to_string("test_data/host")?.trim_ascii_end())
   1280             .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST))
   1281             .keepalives(false)
   1282             .load_balance_hosts(LoadBalanceHosts::Disable)
   1283             .port(5432)
   1284             .ssl_mode(SslMode::Require)
   1285             .target_session_attrs(TargetSessionAttrs::Any)
   1286             .user(fs::read_to_string("test_data/user")?.trim_ascii_end())
   1287             .connect(MakeTlsConnector::new(Arc::new(conf).into()));
   1288         Builder::new_current_thread()
   1289             .enable_all()
   1290             .build()?
   1291             .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) })
   1292     }
   1293     #[cfg(feature = "runtime")]
   1294     #[ignore]
   1295     #[test]
   1296     fn test_password_and_channel_binding() -> Result<(), E> {
   1297         let root_cert_file = fs::read("test_data/ca.crt.pem")?;
   1298         let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice());
   1299         let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice())
   1300             .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then(
   1301                 |cert_res| {
   1302                     cert_res.map_err(E::RustlsPem).and_then(|cert| {
   1303                         cert_iter.next().map_or_else(
   1304                             || {
   1305                                 let mut root_store = RootCertStore::empty();
   1306                                 root_store.add(cert).map_err(E::Rustls).map(|()| root_store)
   1307                             },
   1308                             |_| Err(E::MultipleRootCerts),
   1309                         )
   1310                     })
   1311                 },
   1312             )?)
   1313             .with_no_client_auth();
   1314         super::set_postgresql_alpn(&mut conf);
   1315         let mut config = Config::new();
   1316         let connection = config
   1317             .application_name("test")
   1318             .channel_binding(ChannelBinding::Require)
   1319             .connect_timeout(Duration::from_secs(4))
   1320             .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end())
   1321             .host(fs::read_to_string("test_data/host")?.trim_ascii_end())
   1322             .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST))
   1323             .keepalives(false)
   1324             .load_balance_hosts(LoadBalanceHosts::Disable)
   1325             .password(fs::read("test_data/password")?.trim_ascii_end())
   1326             .port(5432)
   1327             .ssl_mode(SslMode::Require)
   1328             .target_session_attrs(TargetSessionAttrs::Any)
   1329             .user(fs::read_to_string("test_data/user")?.trim_ascii_end())
   1330             .connect(MakeTlsConnector::new(Arc::new(conf).into()));
   1331         Builder::new_current_thread()
   1332             .enable_all()
   1333             .build()?
   1334             .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) })
   1335     }
   1336 }