postgres_rustls/

lib.rs

//! [![git]](https://git.philomathiclife.com/postgres_rustls/log.html) [![crates-io]](https://crates.io/crates/postgres_rustls) [![docs-rs]](crate)
//!
//! [git]: https://git.philomathiclife.com/git_badge.svg
//! [crates-io]: https://img.shields.io/badge/crates.io-fc8d62?style=for-the-badge&labelColor=555555&logo=rust
//! [docs-rs]: https://img.shields.io/badge/docs.rs-66c2a5?style=for-the-badge&labelColor=555555&logo=docs.rs
//!
//! `postgres_rustls` is a library that adds TLS support to [`tokio_postgres`] using [`tokio_rustls`].
#![cfg_attr(docsrs, feature(doc_cfg))]
#![expect(
    clippy::multiple_crate_versions,
    reason = "dependencies haven't updated to newest crates"
)]
use core::{
    pin::Pin,
    task::{Context, Poll},
};
use sha2::{
    Sha224, Sha256, Sha384, Sha512,
    digest::{Digest as _, OutputSizeUser, generic_array::GenericArray},
};
use std::io::{self, IoSlice};
use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
#[cfg(feature = "runtime")]
use tokio_postgres::tls::MakeTlsConnect;
use tokio_postgres::tls::{ChannelBinding, TlsConnect as PgTlsConnect, TlsStream as PgTlsStream};
use tokio_rustls::{
    Connect,
    client::TlsStream as RustlsStream,
    rustls::{
        ClientConfig,
        pki_types::{InvalidDnsNameError, ServerName},
    },
};
/// Hash for the leaf certificate provided by the PostgreSQL server.
#[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
enum Hash {
    /// SHA-256 hash.
    Sha256(GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>),
    /// SHA-384 hash.
    Sha384(GenericArray<u8, <Sha384 as OutputSizeUser>::OutputSize>),
    /// SHA-512 hash.
    Sha512(GenericArray<u8, <Sha512 as OutputSizeUser>::OutputSize>),
    /// SHA-224 hash.
    Sha224(GenericArray<u8, <Sha224 as OutputSizeUser>::OutputSize>),
}
impl From<Hash> for Vec<u8> {
    #[inline]
    fn from(value: Hash) -> Self {
        match value {
            Hash::Sha256(hash) => hash.to_vec(),
            Hash::Sha384(hash) => hash.to_vec(),
            Hash::Sha512(hash) => hash.to_vec(),
            Hash::Sha224(hash) => hash.to_vec(),
        }
    }
}
impl Hash {
    /// Parses `cert` as a DER-encoded X.509 v3 certifcate extracting the signature algorithm and using it to hash
    /// `cert` (based on the underlying hash algorithm of the signature algorithm).
    ///
    /// Note this will return `Some` for certain invalid payloads; however when the payload is a valid
    /// DER-encoded X.509 v3 certificate, then it is guaranteed to produce the correct hash. The idea is that
    /// in the event the leaf certificate is invalid, then it will be rejected by `rustls` anyway thus what
    /// this returns won't matter. We do this for simplicity and performance reasons since it allows us to
    /// avoid parsing the entire certificate and instead _only_ care about the signature algorithm.
    ///
    /// The only signature algorithms supported are the following:
    ///
    /// * id-Ed25519
    /// * ecdsa-with-SHA256
    /// * sha256WithRSAEncryption
    /// * ecdsa-with-SHA384
    /// * sha384WithRSAEncryption
    /// * ecdsa-with-SHA512
    /// * sha512WithRSAEncryption
    /// * ecdsa-with-SHA224
    /// * sha224WithRSAEncryption
    /// * dsa-with-SHA256
    /// * dsa-with-SHA224
    /// * dsa-with-SHA1
    /// * sha1WithRSAEncryption
    ///
    /// More may be added; but for ones that require additional dependencies, they will be hidden behind a feature.
    /// Additionally new ones must be supported by PostgreSQL, `tokio-postgres`, and `rustls`.
    //
    // [RFC 5280 § 4.1](https://www.rfc-editor.org/rfc/rfc5280#section-4.1) describes the ASN.1 format
    // of an X.509 v3 Certificate:
    //
    // ```asn
    // Certificate  ::=  SEQUENCE  {
    //   tbsCertificate       TBSCertificate,
    //   signatureAlgorithm   AlgorithmIdentifier,
    //   signatureValue       BIT STRING  }
    //
    // TBSCertificate  ::=  SEQUENCE  { … }
    //
    // AlgorithmIdentifier  ::=  SEQUENCE  {
    //   algorithm               OBJECT IDENTIFIER,
    //   parameters              ANY DEFINED BY algorithm OPTIONAL  }
    // ```
    //
    // [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690-202102-I/en)
    // describes how DER-encoding works.
    #[expect(
        clippy::arithmetic_side_effects,
        clippy::big_endian_bytes,
        clippy::indexing_slicing,
        reason = "comments justify their correctness"
    )]
    #[expect(clippy::too_many_lines, reason = "inflated by the const slices")]
    #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    fn from_der_cert(cert: &[u8]) -> Option<Self> {
        /// [RFC 8410 § 9](https://www.rfc-editor.org/rfc/rfc8410#section-9)
        /// defines id-Ed25519 as 1.3.101.112. This is encoded as below per X.690 § 8.19.
        const ED25519: &[u8] = [43, 101, 112].as_slice();
        /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
        /// defines ecdsa-with-SHA256 as 1.2.840.10045.4.3.2. This is encoded as
        /// below per X.690 § 8.19.
        const ECDSA_SHA256: &[u8] = [42, 134, 72, 206, 61, 4, 3, 2].as_slice();
        /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
        /// defines sha256WithRSAEncryption as 1.2.840.113549.1.1.11. This is encoded as
        /// below per X.690 § 8.19.
        const RSA_SHA256: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 11].as_slice();
        /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
        /// defines dsa-with-SHA256 as 2.16.840.1.101.3.4.3.2. This is encoded as
        /// below per X.690 § 8.19.
        const DSA_SHA256: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 2].as_slice();
        /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
        /// defines dsa-with-SHA1 as 1.2.840.10040.4.3. This is encoded as
        /// below per X.690 § 8.19.
        const DSA_SHA1: &[u8] = [42, 134, 72, 206, 56, 4, 3].as_slice();
        /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
        /// defines sha1WithRSAEncryption as 1.2.840.113549.1.1.5. This is encoded as
        /// below per X.690 § 8.19.
        const RSA_SHA1: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 5].as_slice();
        /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
        /// defines ecdsa-with-SHA384 as 1.2.840.10045.4.3.3. This is encoded as
        /// below per X.690 § 8.19.
        const ECDSA_SHA384: &[u8] = [42, 134, 72, 206, 61, 4, 3, 3].as_slice();
        /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
        /// defines sha384WithRSAEncryption as 1.2.840.113549.1.1.12. This is encoded as
        /// below per X.690 § 8.19.
        const RSA_SHA384: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 12].as_slice();
        /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
        /// defines ecdsa-with-SHA512 as 1.2.840.10045.4.3.4. This is encoded as
        /// below per X.690 § 8.19.
        const ECDSA_SHA512: &[u8] = [42, 134, 72, 206, 61, 4, 3, 4].as_slice();
        /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
        /// defines sha512WithRSAEncryption as 1.2.840.113549.1.1.13. This is encoded as
        /// below per X.690 § 8.19.
        const RSA_SHA512: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 13].as_slice();
        /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
        /// defines ecdsa-with-SHA224 as 1.2.840.10045.4.3.1. This is encoded as
        /// below per X.690 § 8.19.
        const ECDSA_SHA224: &[u8] = [42, 134, 72, 206, 61, 4, 3, 1].as_slice();
        /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C)
        /// defines sha224WithRSAEncryption as 1.2.840.113549.1.1.14. This is encoded as
        /// below per X.690 § 8.19.
        const RSA_SHA224: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 14].as_slice();
        /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6)
        /// defines dsa-with-SHA224 as 2.16.840.1.101.3.4.3.1. This is encoded as
        /// below per X.690 § 8.19.
        const DSA_SHA224: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 1].as_slice();
        // The first octet represents a constructed sequence (i.e., 0x30) and the second octet represents
        // the (possibly encoded) length of the remaining payload.
        cert.split_at_checked(2).and_then(|(cert_seq, cert_rem)| {
            // This won't `panic` since `cert_seq.len() == 2`.
            // This represents the (possibly encoded) length.
            //
            // We don't care about the actual length of the payload. We only care about the number of bytes
            // we need to skip until the (possibly encoded) length of the constructed sequence of
            // tbsCertificate.
            match cert_seq[1] {
                // The length of the payload is represented with this byte; thus we only need to skip
                // the constructed sequence byte (i.e., 0x30) of tbsCertificate.
                ..=127 => Some(1),
                // The length of the payload is invalid since DER-encoded lengths must use the minimum
                // number of bytes possible. The high bit is set iff one or more octets are needed to encode
                // the actual length. The number of octets is represented by the remaining bits; thus this
                // means there are 0 bytes to encode the length, but then it should have been encoded as
                // `0` and not `128`.
                //
                // 255 is not allowed to be used per § 8.1.3.5.
                128 | 255 => None,
                // The remaining bits represent the number of bytes that it takes to encode the length;
                // thus we subtract 128 and add 1 to account for the constructed sequence byte (i.e., 0x30)
                // of tbsCertificate. This is the same as just subtracting 127.
                //
                // Underflow clearly cannot occur since `len` is at least 129.
                len @ 129.. => Some(usize::from(len) - 127),
            }
            .and_then(|skip| {
                cert_rem.get(skip..).and_then(|tbs_rem_with_len| {
                    // Remaining payload starting from the (possibly encoded) length of tbsCertificate.
                    tbs_rem_with_len
                        // Extract the (possibly encoded) length of tbsCertificate.
                        .split_first()
                        .and_then(|(tbs_enc_len, tbs_rem)| {
                            // We need to extract how many bytes make up tbsCertificate that way
                            // we can skip it and get to the (possibly encoded) length of
                            // signatureAlgorithm.
                            match *tbs_enc_len {
                                // tbsCertificate is encoded in `len` bytes. We need to skip that many
                                // bytes taking into account the constructed sequence byte (i.e., 0x30)
                                // of signatureAlgorithm.
                                //
                                // This won't overflow since `len` is at most 127; thus this maxes at 128
                                // which is <= `usize::MAX`.
                                len @ ..=127 => Some(usize::from(len) + 1),
                                // The number of bytes tbsCertificate is encoded in takes 1 byte to encode
                                // We get that one byte since that is how many bytes we need to skip taking
                                // into account the byte and the constructed sequence byte (i.e., 0x30) of
                                // signatureAlgorithm.
                                //
                                // This won't overflow since this maxes at 255 + 2 = 257 <= usize::MAX.
                                129 => tbs_rem.first().map(|len| usize::from(*len) + 2),
                                // The number of bytes tbsCertificate is encoded in takes 2 bytes to encode.
                                // We get the two bytes since that is how many bytes we need to skip.
                                130 => tbs_rem.get(..2).and_then(|enc_len| {
                                    let mut big_endian_len = [0; 2];
                                    // This won't `panic` since `enc_len.len() == 2`.
                                    big_endian_len.copy_from_slice(enc_len);
                                    // Multi-byte lengths are encoded in big-endian.
                                    u16::from_be_bytes(big_endian_len)
                                        // We need to account for the two bytes and the constructed sequence byte
                                        // (i.e., 0x30) of signatureAlgorithm.
                                        .checked_add(3)
                                        // We don't support payloads larger than 65,535 since that is more than
                                        // enough for a single certificate.
                                        .map(usize::from)
                                }),
                                // We arbitrarily cap the size of payloads we accept to simplify decoding.
                                // If this is more than 130, then the payload is at least 16,777,216 bytes
                                // which is obscenely large for a single certificate. 128 is invalid.
                                _ => None,
                            }
                            .and_then(|tbs_len| {
                                tbs_rem.get(tbs_len..).and_then(|alg_rem_with_len| {
                                    // Remaining payload starting from the (possibly encoded) length of
                                    // signatureAlgorithm.
                                    alg_rem_with_len
                                        // Extract the (possibly encoded) length of signatureAlgorithm.
                                        .split_first()
                                        .and_then(|(alg_enc_len, alg_rem)| {
                                            // We need to extract how many bytes make up signatureAlgorithm that way
                                            // we can skip it and get to the (possibly encoded) length of algorithm.
                                            match *alg_enc_len {
                                                // The length of the payload is represented with this byte; thus we
                                                // only need to skip the object identifier byte (i.e., 0x06) of
                                                // algorithm.
                                                ..=127 => Some(1),
                                                // The length of the payload is invalid.
                                                128 | 255 => None,
                                                // The remaining bits represents the number of bytes that it takes to
                                                // encode the length; thus we subtract 128 and add 1 to account for
                                                // the object identifier byte (i.e., 0x06) of algorithm.
                                                // This is the same as just subtracting 127.
                                                //
                                                // Underflow clearly cannot occur since `len` is at least 129.
                                                len @ 129.. => Some(usize::from(len) - 127),
                                            }
                                            .and_then(
                                                |alg_skip| {
                                                    alg_rem.get(alg_skip..).and_then(|oid_rem| {
                                                        // Remaining payload starting from the (possibly encoded)
                                                        // length of algorithm, and we extract the
                                                        // (possibly encoded) length of algorithm.
                                                        oid_rem.split_first().and_then(
                                                            |(oid_enc_len, rem)| {
                                                                // Extract the algorithm.
                                                                // Recall we don't care if the certificate is
                                                                // invalid, and we only support algorithms of
                                                                // length at most 127. As a result, we treat
                                                                // `oid_enc_len` as is.
                                                                rem.get(..usize::from(*oid_enc_len))
                                                                    .and_then(|oid| match oid {
                                                                        ED25519 | ECDSA_SHA256
                                                                        | RSA_SHA256 | DSA_SHA256
                                                                        // [RFC 5929 § 4.1](https://www.rfc-editor.org/rfc/rfc5929#section-4.1)
                                                                        // mandates that SHA-1 based signatures
                                                                        // use SHA-256.
                                                                        | DSA_SHA1 | RSA_SHA1 => {
                                                                            Some(Self::Sha256(
                                                                                Sha256::digest(
                                                                                    cert,
                                                                                ),
                                                                            ))
                                                                        }
                                                                        ECDSA_SHA384
                                                                        | RSA_SHA384 => {
                                                                            Some(Self::Sha384(
                                                                                Sha384::digest(
                                                                                    cert,
                                                                                ),
                                                                            ))
                                                                        }
                                                                        ECDSA_SHA512
                                                                        | RSA_SHA512 => {
                                                                            Some(Self::Sha512(
                                                                                Sha512::digest(
                                                                                    cert,
                                                                                ),
                                                                            ))
                                                                        }
                                                                        ECDSA_SHA224
                                                                        | RSA_SHA224
                                                                        | DSA_SHA224 => {
                                                                            Some(Self::Sha224(
                                                                                Sha224::digest(
                                                                                    cert,
                                                                                ),
                                                                            ))
                                                                        }
                                                                        _ => None,
                                                                    })
                                                            },
                                                        )
                                                    })
                                                },
                                            )
                                        })
                                })
                            })
                        })
                })
            })
        })
    }
}
/// The [`TlsConnector::Stream`] returned from [`TlsConnectorFuture::poll`].
#[derive(Debug)]
pub struct TlsStream<S>(RustlsStream<S>);
impl<S: AsyncRead + AsyncWrite + Unpin> AsyncRead for TlsStream<S> {
    #[inline]
    fn poll_read(
        mut self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        buf: &mut ReadBuf<'_>,
    ) -> Poll<io::Result<()>> {
        Pin::new(&mut self.0).poll_read(cx, buf)
    }
}
impl<S: AsyncRead + AsyncWrite + Unpin> AsyncWrite for TlsStream<S> {
    #[inline]
    fn poll_write(
        mut self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        buf: &[u8],
    ) -> Poll<Result<usize, io::Error>> {
        Pin::new(&mut self.0).poll_write(cx, buf)
    }
    #[inline]
    fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), io::Error>> {
        Pin::new(&mut self.0).poll_flush(cx)
    }
    #[inline]
    fn poll_shutdown(
        mut self: Pin<&mut Self>,
        cx: &mut Context<'_>,
    ) -> Poll<Result<(), io::Error>> {
        Pin::new(&mut self.0).poll_shutdown(cx)
    }
    #[inline]
    fn poll_write_vectored(
        mut self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        bufs: &[IoSlice<'_>],
    ) -> Poll<Result<usize, io::Error>> {
        Pin::new(&mut self.0).poll_write_vectored(cx, bufs)
    }
    #[inline]
    fn is_write_vectored(&self) -> bool {
        self.0.is_write_vectored()
    }
}
impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsStream for TlsStream<S> {
    /// Returns the [`ChannelBinding`] based on the X.509 v3 certificate sent from the PostgreSQL server.
    ///
    /// Note when this returns [`ChannelBinding::tls_server_end_point`], it _does not_ mean the certificate
    /// is valid. In certain circumstances, this will return that even for an invalid certificate. This should
    /// not matter since the certificate being invalid will cause the certificate to be rejected anyway. When
    /// the certificate is valid and uses a supported signature algorithm, then this will always return the
    /// correct value.
    ///
    /// The only supported signature algorithms are the following:
    ///
    /// * id-Ed25519
    /// * ecdsa-with-SHA256
    /// * sha256WithRSAEncryption
    /// * ecdsa-with-SHA384
    /// * sha384WithRSAEncryption
    /// * ecdsa-with-SHA512
    /// * sha512WithRSAEncryption
    /// * ecdsa-with-SHA224
    /// * sha224WithRSAEncryption
    /// * dsa-with-SHA256
    /// * dsa-with-SHA224
    /// * dsa-with-SHA1
    /// * sha1WithRSAEncryption
    ///
    /// Note it is strongly recommended that TLS 1.3 be used; thus while signature algorithms that are not
    /// part of TLS 1.3 are supported, you should avoid them.
    /// See [RFC 9266 § 4.2](https://www.rfc-editor.org/rfc/rfc9266#section-4.2).
    /// Additionally some of the supported signature algorithms may not be supported by PostgreSQL
    /// (e.g., id-Ed25519).
    #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    #[inline]
    fn channel_binding(&self) -> ChannelBinding {
        self.0
            .get_ref()
            .1
            .peer_certificates()
            .and_then(|certs| {
                certs.first().and_then(|fst| {
                    Hash::from_der_cert(fst)
                        .map(|hash| ChannelBinding::tls_server_end_point(hash.into()))
                })
            })
            .unwrap_or_else(ChannelBinding::none)
    }
}
/// [`TlsConnector::Future`] returned from [`TlsConnector::connect`].
#[expect(
    missing_debug_implementations,
    reason = "Connect does not implement Debug, so we don't"
)]
pub struct TlsConnectorFuture<S>(Connect<S>);
impl<S: AsyncRead + AsyncWrite + Unpin> Future for TlsConnectorFuture<S> {
    type Output = io::Result<TlsStream<S>>;
    #[inline]
    fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
        Pin::new(&mut self.0).poll(cx).map_ok(TlsStream)
    }
}
/// Connects to the PostgreSQL server.
#[expect(
    missing_debug_implementations,
    reason = "TlsConnector does not implement Debug, so we don't"
)]
#[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
pub struct TlsConnector<'domain> {
    /// Used to connect to the PostgreSQL server.
    #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    connector: tokio_rustls::TlsConnector,
    /// The domain or IP of the PostgreSQL server.
    #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")]
    dom: ServerName<'domain>,
}
impl<'domain> TlsConnector<'domain> {
    /// Returns `Self` based on `connector` and `domain`.
    ///
    /// # Errors
    ///
    /// Errors iff [`ServerName::try_from`] does when passed `domain`.
    #[expect(single_use_lifetimes, reason = "false positive")]
    #[inline]
    pub fn new<'dom: 'domain>(
        connector: tokio_rustls::TlsConnector,
        domain: &'dom str,
    ) -> Result<Self, InvalidDnsNameError> {
        ServerName::try_from(domain).map(|dom| Self { connector, dom })
    }
}
impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsConnect<S> for TlsConnector<'static> {
    type Stream = TlsStream<S>;
    type Error = io::Error;
    type Future = TlsConnectorFuture<S>;
    #[inline]
    fn connect(self, stream: S) -> Self::Future {
        TlsConnectorFuture(self.connector.connect(self.dom, stream))
    }
}
/// [`MakeTlsConnect`] based on [`tokio_rustls::TlsConnector`].
#[expect(
    missing_debug_implementations,
    reason = "TlsConnector does not implement Debug, so we don't"
)]
#[cfg_attr(docsrs, doc(cfg(feature = "runtime")))]
#[cfg(feature = "runtime")]
#[derive(Clone)]
pub struct MakeTlsConnector(tokio_rustls::TlsConnector);
#[cfg(feature = "runtime")]
impl MakeTlsConnector {
    /// Constructs `Self` based on `connector`.
    #[inline]
    #[must_use]
    pub const fn new(connector: tokio_rustls::TlsConnector) -> Self {
        Self(connector)
    }
}
#[cfg(feature = "runtime")]
impl<S: AsyncRead + AsyncWrite + Unpin> MakeTlsConnect<S> for MakeTlsConnector {
    type Stream = TlsStream<S>;
    type TlsConnect = TlsConnector<'static>;
    type Error = InvalidDnsNameError;
    #[inline]
    fn make_tls_connect(&mut self, domain: &str) -> Result<Self::TlsConnect, Self::Error> {
        ServerName::try_from(domain).map(|dom| TlsConnector {
            connector: self.0.clone(),
            dom: dom.to_owned(),
        })
    }
}
/// Removes any ALPN values and adds the `b"postgresql"` ALPN.
#[inline]
pub fn set_postgresql_alpn(config: &mut ClientConfig) {
    config.alpn_protocols.clear();
    config.alpn_protocols.push(vec![
        b'p', b'o', b's', b't', b'g', b'r', b'e', b's', b'q', b'l',
    ]);
}
#[cfg(test)]
mod tests {
    #[cfg(feature = "runtime")]
    extern crate alloc;
    use super::Hash;
    #[cfg(feature = "runtime")]
    use super::MakeTlsConnector;
    #[cfg(feature = "runtime")]
    use alloc::sync::Arc;
    #[cfg(feature = "runtime")]
    use core::{
        net::{IpAddr, Ipv6Addr},
        time::Duration,
    };
    use sha2::{Digest as _, Sha224, Sha256, Sha384, Sha512};
    #[cfg(feature = "runtime")]
    use std::{fs, io::Error};
    #[cfg(feature = "runtime")]
    use tokio::runtime::Builder;
    #[cfg(feature = "runtime")]
    use tokio_postgres::{
        Config,
        config::{ChannelBinding, LoadBalanceHosts, SslMode, TargetSessionAttrs},
    };
    #[cfg(feature = "runtime")]
    use tokio_rustls::rustls::{
        self, ClientConfig, RootCertStore,
        pki_types::{
            CertificateDer, PrivateKeyDer,
            pem::{Error as PemErr, PemObject as _},
        },
        version::TLS13,
    };
    #[test]
    fn test_parse_ed25519() {
        /// Certificate that uses Ed25519.
        const CERT: &[u8] = [
            48, 130, 1, 125, 48, 130, 1, 47, 160, 3, 2, 1, 2, 2, 1, 29, 48, 5, 6, 3, 43, 101, 112,
            48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 3, 85, 4, 10,
            12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 82, 111,
            111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 56, 48, 53, 90, 23, 13,
            50, 53, 48, 51, 49, 54, 48, 48, 52, 56, 48, 53, 90, 48, 43, 49, 11, 48, 9, 6, 3, 85, 4,
            6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 116, 49, 13,
            48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 42, 48, 5, 6, 3, 43, 101, 112, 3,
            33, 0, 142, 168, 95, 146, 122, 142, 177, 52, 239, 161, 27, 41, 80, 58, 167, 248, 211,
            181, 154, 201, 26, 195, 207, 27, 132, 228, 110, 149, 95, 212, 44, 202, 163, 117, 48,
            115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 238, 12, 127, 172, 94, 237, 69, 62, 240,
            99, 1, 2, 35, 161, 201, 129, 19, 85, 0, 227, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2,
            48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1,
            255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48,
            22, 128, 20, 199, 177, 144, 22, 54, 182, 183, 202, 234, 246, 98, 108, 85, 32, 30, 132,
            146, 221, 218, 80, 48, 5, 6, 3, 43, 101, 112, 3, 65, 0, 133, 253, 192, 202, 50, 167,
            57, 5, 246, 17, 58, 232, 188, 41, 147, 232, 35, 206, 147, 181, 0, 139, 95, 3, 24, 139,
            17, 102, 113, 186, 146, 163, 97, 157, 255, 50, 193, 230, 159, 170, 218, 35, 56, 99, 89,
            251, 173, 97, 106, 15, 52, 71, 209, 69, 109, 216, 140, 235, 37, 23, 185, 173, 215, 0,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_ecdsa_sha256() {
        /// Certificate that uses ECDSA with SHA-256.
        const CERT: &[u8] = [
            48, 130, 1, 189, 48, 130, 1, 99, 160, 3, 2, 1, 2, 2, 1, 27, 48, 10, 6, 8, 42, 134, 72,
            206, 61, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
            6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
            12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 49, 51,
            48, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 49, 51, 48, 90, 48, 43, 49, 11, 48,
            9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
            116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 89, 48, 19, 6, 7,
            42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66, 0, 4, 195, 27,
            22, 133, 220, 98, 146, 255, 201, 209, 114, 117, 93, 119, 207, 46, 228, 132, 210, 187,
            134, 197, 201, 194, 147, 51, 111, 17, 187, 179, 129, 180, 129, 62, 164, 27, 199, 95,
            59, 16, 167, 134, 233, 53, 127, 194, 187, 144, 193, 106, 100, 37, 104, 219, 164, 155,
            58, 210, 106, 12, 192, 247, 72, 183, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4,
            22, 4, 20, 84, 214, 179, 28, 250, 191, 223, 88, 72, 221, 229, 63, 123, 177, 146, 167,
            224, 18, 24, 0, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29,
            15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43,
            6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 43, 80, 133,
            205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 100, 138, 233, 225, 48, 10,
            6, 8, 42, 134, 72, 206, 61, 4, 3, 2, 3, 72, 0, 48, 69, 2, 32, 107, 43, 12, 27, 111,
            216, 19, 191, 199, 1, 202, 22, 147, 43, 16, 188, 36, 156, 141, 80, 115, 124, 160, 211,
            19, 123, 41, 216, 94, 19, 236, 0, 2, 33, 0, 164, 138, 200, 40, 159, 245, 38, 70, 207,
            160, 121, 19, 56, 240, 18, 222, 191, 196, 217, 129, 24, 92, 238, 43, 39, 29, 57, 85,
            56, 11, 178, 88,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_ecdsa_sha384() {
        /// Certificate that uses ECDSA with SHA-384.
        const CERT: &[u8] = [
            48, 130, 1, 218, 48, 130, 1, 128, 160, 3, 2, 1, 2, 2, 1, 25, 48, 10, 6, 8, 42, 134, 72,
            206, 61, 4, 3, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
            6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
            12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 57, 51,
            55, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 57, 51, 55, 90, 48, 43, 49, 11, 48,
            9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
            116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 118, 48, 16, 6, 7,
            42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 246, 106, 156, 228,
            83, 166, 254, 62, 196, 22, 127, 171, 204, 182, 154, 182, 253, 35, 95, 120, 253, 231,
            78, 20, 146, 203, 186, 201, 147, 48, 197, 96, 195, 202, 5, 235, 201, 168, 28, 117, 62,
            47, 121, 211, 58, 67, 32, 96, 129, 15, 215, 172, 135, 222, 180, 101, 196, 18, 41, 107,
            6, 161, 172, 183, 217, 106, 227, 24, 140, 13, 145, 245, 137, 185, 4, 78, 210, 56, 235,
            159, 203, 241, 203, 239, 39, 90, 98, 227, 215, 221, 119, 65, 47, 68, 2, 200, 163, 117,
            48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 88, 91, 22, 70, 200, 54, 182, 100,
            191, 186, 73, 152, 174, 87, 56, 64, 26, 173, 27, 43, 48, 12, 6, 3, 85, 29, 19, 1, 1,
            255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29,
            37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35,
            4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123,
            149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 72, 0,
            48, 69, 2, 33, 0, 210, 47, 45, 107, 132, 43, 161, 65, 132, 15, 148, 184, 203, 125, 234,
            232, 111, 216, 238, 113, 187, 201, 114, 177, 218, 234, 201, 126, 204, 118, 80, 225, 2,
            32, 67, 111, 72, 96, 182, 167, 191, 130, 118, 105, 253, 133, 58, 38, 65, 112, 234, 3,
            23, 77, 182, 0, 195, 80, 181, 65, 76, 243, 4, 145, 200, 255,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_ecdsa_sha512() {
        /// Certificate that uses ECDSA with SHA-512.
        const CERT: &[u8] = [
            48, 130, 2, 1, 48, 130, 1, 166, 160, 3, 2, 1, 2, 2, 1, 24, 48, 10, 6, 8, 42, 134, 72,
            206, 61, 4, 3, 4, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
            6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
            12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 56, 51,
            54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 56, 51, 54, 90, 48, 43, 49, 11, 48,
            9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
            116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 129, 155, 48, 16, 6,
            7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 35, 3, 129, 134, 0, 4, 1, 86, 143,
            210, 217, 20, 143, 103, 172, 34, 97, 62, 173, 15, 43, 199, 93, 220, 81, 75, 137, 219,
            111, 217, 127, 6, 8, 115, 160, 121, 146, 138, 64, 110, 14, 193, 98, 164, 226, 208, 89,
            120, 108, 30, 107, 77, 194, 63, 41, 112, 173, 112, 44, 85, 54, 155, 168, 189, 235, 129,
            214, 104, 152, 198, 252, 62, 1, 87, 193, 205, 162, 152, 15, 26, 111, 231, 183, 106,
            145, 29, 251, 188, 148, 239, 192, 53, 186, 34, 13, 104, 231, 85, 127, 17, 67, 54, 116,
            232, 85, 23, 143, 68, 171, 30, 25, 155, 201, 171, 106, 89, 20, 234, 12, 192, 68, 102,
            166, 50, 246, 130, 117, 62, 222, 142, 98, 62, 43, 9, 109, 74, 138, 180, 163, 117, 48,
            115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 148, 160, 104, 250, 171, 155, 48, 171, 13,
            164, 221, 144, 240, 194, 250, 9, 183, 72, 158, 141, 48, 12, 6, 3, 85, 29, 19, 1, 1,
            255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29,
            37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35,
            4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123,
            149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 4, 3, 73, 0,
            48, 70, 2, 33, 0, 179, 24, 50, 50, 127, 141, 167, 197, 29, 35, 234, 81, 215, 112, 233,
            218, 84, 151, 136, 117, 40, 106, 164, 156, 205, 75, 6, 133, 64, 52, 161, 116, 2, 33, 0,
            141, 178, 46, 201, 22, 126, 42, 84, 96, 191, 175, 219, 140, 72, 252, 6, 152, 112, 113,
            232, 38, 101, 11, 215, 20, 143, 22, 199, 38, 237, 179, 108,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_ecdsa_sha224() {
        /// Certificate that uses ECDSA with SHA-224.
        const CERT: &[u8] = [
            48, 130, 1, 178, 48, 130, 1, 88, 160, 3, 2, 1, 2, 2, 1, 28, 48, 10, 6, 8, 42, 134, 72,
            206, 61, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14,
            6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3,
            12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 50, 49,
            52, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 50, 49, 52, 90, 48, 43, 49, 11, 48,
            9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
            116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 78, 48, 16, 6, 7,
            42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 33, 3, 58, 0, 4, 235, 241, 149, 78,
            60, 248, 123, 132, 195, 228, 188, 151, 240, 28, 76, 198, 207, 121, 165, 126, 245, 158,
            214, 232, 69, 198, 114, 117, 86, 137, 15, 86, 40, 171, 27, 36, 8, 43, 190, 138, 193,
            136, 118, 43, 29, 119, 182, 21, 14, 123, 110, 81, 81, 72, 44, 195, 163, 117, 48, 115,
            48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 203, 141, 20, 54, 48, 176, 180, 57, 46, 1, 91,
            221, 116, 154, 205, 81, 187, 184, 24, 211, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2,
            48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1,
            255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48,
            22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250,
            100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 1, 3, 72, 0, 48, 69, 2,
            32, 64, 186, 179, 226, 82, 176, 87, 158, 166, 22, 31, 27, 19, 190, 112, 167, 241, 159,
            33, 198, 60, 70, 68, 120, 19, 63, 33, 244, 236, 240, 216, 181, 2, 33, 0, 252, 183, 115,
            52, 189, 151, 44, 178, 62, 209, 159, 31, 154, 152, 69, 189, 121, 148, 57, 231, 27, 22,
            165, 212, 65, 202, 124, 15, 53, 150, 93, 183,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_rsa_sha256() {
        /// Certificate that uses RSA with SHA-256.
        const CERT: &[u8] = [
            48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 31, 48, 13, 6, 9, 42, 134, 72,
            134, 247, 13, 1, 1, 11, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
            16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
            3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
            48, 51, 48, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 51, 48, 53, 90, 48, 43,
            49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
            84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
            1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
            130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
            22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
            118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
            234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
            134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
            109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
            50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
            201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
            105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
            151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
            102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
            212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
            94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
            103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
            1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
            5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
            1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
            29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
            35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
            125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
            11, 5, 0, 3, 130, 1, 1, 0, 28, 109, 109, 197, 99, 197, 36, 180, 154, 215, 173, 215, 24,
            94, 47, 218, 147, 163, 179, 123, 248, 3, 144, 109, 173, 207, 49, 113, 249, 188, 31,
            178, 16, 88, 88, 56, 11, 86, 127, 193, 23, 165, 65, 190, 84, 170, 156, 190, 52, 87,
            119, 213, 106, 184, 11, 204, 151, 148, 205, 100, 233, 46, 170, 45, 161, 100, 58, 46,
            105, 25, 150, 78, 146, 41, 100, 125, 203, 214, 238, 104, 251, 25, 183, 66, 102, 241,
            110, 56, 55, 205, 122, 234, 205, 90, 91, 247, 143, 129, 217, 6, 190, 120, 18, 190, 11,
            121, 207, 142, 170, 57, 236, 243, 113, 53, 167, 188, 26, 134, 175, 107, 195, 48, 119,
            78, 117, 157, 104, 247, 65, 122, 153, 234, 166, 88, 142, 228, 25, 120, 243, 51, 111, 8,
            43, 199, 255, 162, 186, 18, 64, 54, 96, 44, 138, 144, 237, 89, 176, 189, 245, 194, 96,
            232, 196, 0, 50, 51, 98, 32, 163, 177, 130, 113, 41, 116, 33, 40, 190, 111, 79, 108,
            107, 159, 65, 87, 222, 173, 170, 39, 29, 97, 240, 107, 130, 101, 247, 123, 85, 123,
            247, 221, 89, 159, 114, 157, 35, 153, 22, 127, 149, 224, 158, 236, 4, 137, 193, 135,
            136, 97, 222, 83, 232, 205, 148, 127, 139, 78, 220, 10, 183, 139, 205, 190, 181, 36,
            61, 155, 88, 163, 50, 120, 153, 41, 182, 75, 219, 95, 25, 40, 229, 106, 87, 215, 77,
            50, 219, 97,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_rsa_sha384() {
        /// Certificate that uses RSA with SHA-384.
        const CERT: &[u8] = [
            48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 32, 48, 13, 6, 9, 42, 134, 72,
            134, 247, 13, 1, 1, 12, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
            16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
            3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
            48, 53, 52, 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 53, 52, 54, 90, 48, 43,
            49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
            84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
            1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
            130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
            22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
            118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
            234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
            134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
            109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
            50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
            201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
            105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
            151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
            102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
            212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
            94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
            103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
            1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
            5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
            1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
            29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
            35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
            125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
            12, 5, 0, 3, 130, 1, 1, 0, 135, 249, 101, 184, 225, 162, 164, 193, 23, 81, 98, 221,
            134, 87, 34, 94, 229, 131, 221, 17, 38, 61, 156, 200, 113, 94, 244, 188, 226, 84, 74,
            96, 205, 237, 230, 242, 168, 238, 178, 133, 68, 188, 80, 244, 60, 42, 169, 54, 66, 79,
            104, 66, 251, 27, 240, 108, 16, 46, 175, 62, 240, 194, 7, 181, 238, 211, 118, 149, 150,
            46, 97, 39, 28, 173, 225, 49, 73, 206, 147, 101, 12, 192, 218, 119, 208, 73, 20, 208,
            229, 216, 133, 213, 28, 165, 70, 20, 158, 114, 223, 40, 121, 13, 236, 218, 165, 237,
            164, 196, 94, 80, 120, 49, 212, 241, 213, 197, 201, 104, 67, 223, 130, 148, 197, 251,
            199, 167, 6, 89, 146, 139, 141, 32, 78, 72, 190, 146, 94, 251, 208, 47, 118, 173, 111,
            92, 241, 102, 26, 233, 145, 46, 220, 230, 5, 147, 220, 92, 240, 133, 24, 192, 71, 49,
            252, 84, 163, 132, 34, 139, 12, 106, 4, 189, 151, 37, 34, 123, 26, 42, 84, 46, 232, 14,
            129, 101, 84, 26, 25, 219, 11, 115, 214, 106, 12, 75, 199, 248, 218, 239, 209, 32, 159,
            40, 192, 11, 2, 175, 51, 232, 20, 8, 72, 188, 184, 177, 22, 251, 238, 42, 74, 21, 25,
            93, 77, 184, 5, 207, 101, 98, 60, 214, 173, 169, 56, 54, 211, 167, 55, 34, 14, 184, 25,
            4, 170, 108, 94, 110, 27, 45, 11, 22, 61, 130, 63, 214, 168, 72,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_rsa_sha512() {
        /// Certificate that uses RSA with SHA-512.
        const CERT: &[u8] = [
            48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 33, 48, 13, 6, 9, 42, 134, 72,
            134, 247, 13, 1, 1, 13, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
            16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
            3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
            48, 54, 52, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 54, 52, 53, 90, 48, 43,
            49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
            84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
            1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
            130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
            22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
            118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
            234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
            134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
            109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
            50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
            201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
            105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
            151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
            102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
            212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
            94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
            103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
            1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
            5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
            1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
            29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
            35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
            125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
            13, 5, 0, 3, 130, 1, 1, 0, 106, 7, 136, 82, 232, 55, 0, 98, 9, 211, 201, 57, 239, 67,
            167, 139, 225, 164, 231, 255, 10, 52, 47, 234, 254, 75, 239, 241, 39, 6, 226, 209, 210,
            169, 200, 32, 255, 83, 159, 23, 146, 9, 109, 173, 236, 216, 253, 199, 229, 23, 227, 33,
            56, 98, 109, 59, 2, 167, 29, 118, 251, 82, 193, 39, 244, 191, 166, 194, 160, 105, 197,
            190, 213, 141, 193, 50, 45, 245, 163, 229, 116, 221, 29, 194, 91, 198, 187, 21, 224,
            95, 17, 203, 148, 160, 4, 15, 54, 249, 69, 12, 18, 25, 58, 190, 205, 44, 157, 184, 1,
            25, 64, 219, 237, 196, 33, 101, 255, 146, 232, 112, 247, 214, 174, 252, 152, 146, 142,
            231, 81, 35, 240, 216, 98, 136, 65, 179, 237, 207, 229, 198, 72, 175, 244, 31, 126,
            106, 107, 100, 200, 81, 227, 41, 61, 26, 122, 226, 121, 219, 131, 212, 206, 238, 14,
            210, 70, 60, 107, 115, 214, 67, 180, 133, 157, 114, 138, 63, 249, 71, 235, 41, 246, 14,
            14, 4, 254, 208, 215, 111, 196, 248, 117, 61, 44, 67, 185, 11, 132, 10, 188, 220, 110,
            78, 61, 171, 88, 172, 161, 1, 223, 52, 75, 101, 55, 249, 125, 178, 141, 127, 0, 246,
            176, 34, 120, 93, 214, 37, 210, 148, 217, 149, 255, 63, 32, 58, 8, 71, 179, 62, 119,
            14, 47, 191, 207, 137, 22, 255, 21, 71, 46, 42, 176, 31, 206, 146, 248, 105,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_rsa_sha224() {
        /// Certificate that uses RSA with SHA-224.
        const CERT: &[u8] = [
            48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 30, 48, 13, 6, 9, 42, 134, 72,
            134, 247, 13, 1, 1, 14, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
            16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
            3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48,
            53, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 53, 57, 50, 56, 90, 48, 43,
            49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
            84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
            1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
            130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
            22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
            118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
            234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
            134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
            109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
            50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
            201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
            105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
            151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
            102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
            212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
            94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
            103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
            1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
            5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
            1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
            29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
            35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
            125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
            14, 5, 0, 3, 130, 1, 1, 0, 122, 121, 0, 201, 250, 195, 66, 213, 60, 117, 213, 188, 93,
            193, 88, 130, 241, 219, 111, 238, 109, 38, 220, 131, 164, 12, 135, 169, 58, 140, 214,
            211, 93, 51, 204, 242, 10, 119, 123, 23, 69, 67, 135, 151, 245, 23, 144, 61, 233, 229,
            122, 189, 111, 89, 190, 100, 251, 86, 185, 246, 40, 121, 190, 192, 199, 119, 232, 209,
            202, 23, 20, 46, 48, 235, 175, 240, 225, 106, 6, 24, 239, 172, 51, 196, 63, 189, 210,
            167, 244, 87, 245, 193, 130, 33, 171, 165, 117, 180, 25, 250, 21, 6, 208, 124, 254, 64,
            180, 50, 124, 234, 179, 121, 183, 0, 71, 118, 28, 115, 86, 117, 60, 96, 164, 33, 54, 1,
            86, 234, 132, 146, 156, 221, 52, 28, 39, 237, 128, 75, 157, 169, 203, 26, 48, 74, 4,
            129, 162, 139, 235, 16, 74, 236, 151, 0, 150, 234, 246, 204, 180, 240, 31, 92, 129, 51,
            221, 118, 10, 192, 140, 32, 33, 21, 223, 113, 35, 86, 47, 236, 159, 252, 52, 185, 41,
            151, 56, 126, 251, 165, 126, 214, 27, 213, 169, 211, 174, 26, 55, 21, 11, 187, 189, 96,
            67, 141, 124, 178, 51, 37, 80, 17, 220, 210, 193, 243, 127, 46, 82, 75, 172, 187, 156,
            222, 186, 3, 13, 194, 104, 234, 131, 96, 99, 34, 1, 61, 149, 219, 33, 227, 34, 215,
            211, 82, 106, 57, 61, 185, 178, 1, 191, 14, 196, 52, 5, 38, 27, 232,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_rsa_sha1() {
        /// Certificate that uses RSA with SHA-1.
        const CERT: &[u8] = [
            48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 34, 48, 13, 6, 9, 42, 134, 72,
            134, 247, 13, 1, 1, 5, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
            16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6,
            3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49,
            48, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 57, 50, 56, 90, 48, 43,
            49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4,
            84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130,
            1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48,
            130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197,
            22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214,
            118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42,
            234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83,
            134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8,
            109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227,
            50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80,
            201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230,
            105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169,
            151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159,
            102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200,
            212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208,
            94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252,
            103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0,
            1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5,
            5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1,
            1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
            29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
            35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247,
            125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1,
            5, 5, 0, 3, 130, 1, 1, 0, 12, 93, 61, 154, 152, 205, 44, 219, 157, 214, 4, 162, 93, 85,
            60, 231, 231, 206, 193, 160, 133, 28, 61, 113, 102, 120, 137, 120, 175, 11, 244, 113,
            217, 81, 151, 123, 210, 108, 156, 145, 99, 158, 104, 10, 25, 129, 95, 128, 140, 44,
            153, 65, 175, 32, 37, 189, 186, 43, 101, 153, 98, 160, 95, 13, 154, 86, 221, 99, 210,
            157, 25, 41, 98, 79, 252, 2, 8, 221, 120, 71, 54, 221, 34, 180, 109, 181, 185, 58, 2,
            119, 167, 50, 172, 167, 192, 136, 24, 227, 40, 211, 18, 98, 2, 175, 174, 42, 100, 136,
            83, 116, 7, 50, 50, 215, 164, 90, 49, 231, 106, 240, 246, 95, 236, 60, 198, 97, 200,
            140, 23, 168, 183, 174, 132, 39, 251, 61, 112, 226, 66, 68, 16, 23, 213, 129, 86, 196,
            248, 82, 141, 82, 107, 246, 224, 37, 94, 95, 134, 139, 75, 15, 70, 54, 47, 80, 19, 143,
            48, 171, 113, 130, 226, 180, 39, 18, 44, 117, 113, 196, 20, 11, 82, 174, 251, 197, 216,
            152, 229, 188, 148, 191, 165, 149, 50, 127, 172, 111, 95, 194, 63, 238, 112, 154, 85,
            98, 18, 236, 13, 123, 232, 90, 47, 180, 36, 148, 77, 192, 45, 113, 150, 10, 254, 99, 0,
            30, 87, 80, 22, 61, 78, 66, 180, 251, 220, 8, 78, 175, 251, 27, 201, 79, 197, 45, 127,
            143, 163, 7, 252, 246, 45, 127, 87, 224, 125, 175, 245, 115,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_dsa_sha256() {
        /// Certificate that uses DSA with SHA-256.
        const CERT: &[u8] = [
            48, 130, 4, 162, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 37, 48, 11, 6, 9, 96, 134, 72,
            1, 101, 3, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48,
            14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4,
            3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 51,
            48, 51, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 51, 48, 51, 90, 48, 43, 49, 11,
            48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101,
            115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48,
            130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11,
            194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67,
            45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189,
            125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106,
            249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192,
            180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8,
            75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221,
            159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21,
            232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186,
            56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25,
            188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71,
            24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175,
            25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120,
            227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29,
            85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173,
            164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80,
            166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67,
            97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159,
            198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182,
            163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4,
            191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166,
            152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89,
            24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147,
            229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251,
            218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172,
            154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89,
            151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111,
            33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175,
            201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167,
            149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186,
            3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126,
            171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219,
            191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80,
            203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233,
            163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56,
            179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9,
            166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217,
            71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88,
            47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164,
            244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11,
            153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26,
            231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115,
            39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171,
            31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68,
            163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53,
            83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19,
            1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
            29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
            35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48,
            16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 2, 3, 64,
            0, 48, 61, 2, 28, 116, 130, 114, 201, 119, 192, 122, 114, 52, 255, 182, 233, 56, 153,
            169, 135, 12, 49, 236, 107, 72, 244, 178, 174, 32, 27, 13, 226, 2, 29, 0, 170, 35, 77,
            179, 10, 59, 85, 118, 124, 99, 48, 21, 125, 235, 57, 27, 60, 222, 102, 120, 20, 16,
            148, 80, 118, 28, 75, 176,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_dsa_sha224() {
        /// Certificate that uses DSA with SHA-224.
        const CERT: &[u8] = [
            48, 130, 4, 163, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 36, 48, 11, 6, 9, 96, 134, 72,
            1, 101, 3, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48,
            14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4,
            3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 50,
            50, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 50, 50, 53, 90, 48, 43, 49, 11,
            48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101,
            115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48,
            130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11,
            194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67,
            45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189,
            125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106,
            249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192,
            180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8,
            75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221,
            159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21,
            232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186,
            56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25,
            188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71,
            24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175,
            25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120,
            227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29,
            85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173,
            164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80,
            166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67,
            97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159,
            198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182,
            163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4,
            191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166,
            152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89,
            24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147,
            229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251,
            218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172,
            154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89,
            151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111,
            33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175,
            201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167,
            149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186,
            3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126,
            171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219,
            191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80,
            203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233,
            163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56,
            179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9,
            166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217,
            71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88,
            47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164,
            244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11,
            153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26,
            231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115,
            39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171,
            31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68,
            163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53,
            83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19,
            1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
            29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
            35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48,
            16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 1, 3, 65,
            0, 48, 62, 2, 29, 0, 178, 65, 35, 200, 113, 88, 88, 146, 71, 230, 14, 148, 101, 161,
            118, 55, 125, 175, 226, 137, 63, 147, 215, 75, 207, 115, 150, 22, 2, 29, 0, 233, 44,
            225, 196, 27, 225, 84, 166, 253, 231, 247, 162, 41, 134, 178, 45, 218, 17, 24, 35, 120,
            100, 231, 84, 218, 88, 80, 255,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT),
            _ => false,
        }),);
    }
    #[test]
    fn test_parse_dsa_sha1() {
        /// Certificate that uses DSA with SHA-1.
        const CERT: &[u8] = [
            48, 130, 4, 157, 48, 130, 4, 77, 160, 3, 2, 1, 2, 2, 1, 35, 48, 9, 6, 7, 42, 134, 72,
            206, 56, 4, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6,
            3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12,
            4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 49, 57, 48, 55,
            90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 49, 57, 48, 55, 90, 48, 43, 49, 11, 48, 9,
            6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115,
            116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 130,
            2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 194,
            123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 45,
            138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189,
            125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106,
            249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192,
            180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8,
            75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221,
            159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21,
            232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186,
            56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25,
            188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71,
            24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175,
            25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120,
            227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29,
            85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173,
            164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80,
            166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67,
            97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159,
            198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182,
            163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4,
            191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166,
            152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89,
            24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147,
            229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251,
            218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172,
            154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89,
            151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111,
            33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175,
            201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167,
            149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186,
            3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126,
            171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219,
            191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80,
            203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233,
            163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56,
            179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9,
            166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217,
            71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88,
            47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164,
            244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11,
            153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26,
            231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115,
            39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171,
            31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68,
            163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53,
            83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19,
            1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85,
            29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29,
            35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48,
            16, 195, 8, 166, 231, 232, 253, 48, 9, 6, 7, 42, 134, 72, 206, 56, 4, 3, 3, 63, 0, 48,
            60, 2, 28, 50, 39, 36, 45, 25, 91, 93, 174, 107, 192, 215, 113, 214, 88, 122, 108, 97,
            82, 121, 182, 191, 182, 66, 173, 207, 255, 17, 86, 2, 28, 28, 133, 69, 48, 198, 204,
            39, 177, 136, 73, 222, 95, 114, 218, 219, 54, 88, 17, 114, 204, 214, 83, 20, 137, 75,
            203, 163, 99,
        ]
        .as_slice();
        assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash {
            Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT),
            _ => false,
        }),);
    }
    #[cfg(feature = "runtime")]
    #[derive(Debug)]
    enum E {
        #[expect(dead_code, reason = "does not matter for tests")]
        Io(Error),
        #[expect(dead_code, reason = "does not matter for tests")]
        Rustls(rustls::Error),
        #[expect(dead_code, reason = "does not matter for tests")]
        Postgres(tokio_postgres::Error),
        NoRootCert,
        MultipleRootCerts,
        NoClientKey,
        MultipleClientKeys,
        #[expect(dead_code, reason = "does not matter for tests")]
        RustlsPem(PemErr),
    }
    #[cfg(feature = "runtime")]
    impl From<Error> for E {
        fn from(value: Error) -> Self {
            Self::Io(value)
        }
    }
    #[cfg(feature = "runtime")]
    impl From<rustls::Error> for E {
        fn from(value: rustls::Error) -> Self {
            Self::Rustls(value)
        }
    }
    #[cfg(feature = "runtime")]
    impl From<tokio_postgres::Error> for E {
        fn from(value: tokio_postgres::Error) -> Self {
            Self::Postgres(value)
        }
    }
    #[cfg(feature = "runtime")]
    impl From<PemErr> for E {
        fn from(value: PemErr) -> Self {
            Self::RustlsPem(value)
        }
    }
    #[cfg(feature = "runtime")]
    #[ignore]
    #[test]
    fn test_mutual_tls() -> Result<(), E> {
        let root_cert_file = fs::read("test_data/ca.crt.pem")?;
        let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice());
        let key_file = fs::read("test_data/client.key.pem")?;
        let mut key_iter = PrivateKeyDer::pem_slice_iter(key_file.as_slice());
        let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice())
            .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then(
                |cert_res| {
                    cert_res.map_err(E::RustlsPem).and_then(|cert| {
                        cert_iter.next().map_or_else(
                            || {
                                let mut root_store = RootCertStore::empty();
                                root_store.add(cert).map_err(E::Rustls).map(|()| root_store)
                            },
                            |_| Err(E::MultipleRootCerts),
                        )
                    })
                },
            )?)
            .with_client_auth_cert(
                CertificateDer::pem_slice_iter(fs::read("test_data/client.crt.pem")?.as_slice())
                    .try_fold(Vec::with_capacity(1), |mut certs, res| {
                        res.map(|cert| {
                            certs.push(cert);
                            certs
                        })
                    })?,
                key_iter
                    .next()
                    .ok_or_else(|| E::NoClientKey)
                    .and_then(|key_res| {
                        key_res.map_err(E::RustlsPem).and_then(|key| {
                            key_iter
                                .next()
                                .map_or_else(|| Ok(key), |_| Err(E::MultipleClientKeys))
                        })
                    })?,
            )?;
        super::set_postgresql_alpn(&mut conf);
        let mut config = Config::new();
        let connection = config
            .application_name("test")
            .channel_binding(ChannelBinding::Disable)
            .connect_timeout(Duration::from_secs(4))
            .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end())
            .host(fs::read_to_string("test_data/host")?.trim_ascii_end())
            .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST))
            .keepalives(false)
            .load_balance_hosts(LoadBalanceHosts::Disable)
            .port(5432)
            .ssl_mode(SslMode::Require)
            .target_session_attrs(TargetSessionAttrs::Any)
            .user(fs::read_to_string("test_data/user")?.trim_ascii_end())
            .connect(MakeTlsConnector::new(Arc::new(conf).into()));
        Builder::new_current_thread()
            .enable_all()
            .build()?
            .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) })
    }
    #[cfg(feature = "runtime")]
    #[ignore]
    #[test]
    fn test_password_and_channel_binding() -> Result<(), E> {
        let root_cert_file = fs::read("test_data/ca.crt.pem")?;
        let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice());
        let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice())
            .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then(
                |cert_res| {
                    cert_res.map_err(E::RustlsPem).and_then(|cert| {
                        cert_iter.next().map_or_else(
                            || {
                                let mut root_store = RootCertStore::empty();
                                root_store.add(cert).map_err(E::Rustls).map(|()| root_store)
                            },
                            |_| Err(E::MultipleRootCerts),
                        )
                    })
                },
            )?)
            .with_no_client_auth();
        super::set_postgresql_alpn(&mut conf);
        let mut config = Config::new();
        let connection = config
            .application_name("test")
            .channel_binding(ChannelBinding::Require)
            .connect_timeout(Duration::from_secs(4))
            .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end())
            .host(fs::read_to_string("test_data/host")?.trim_ascii_end())
            .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST))
            .keepalives(false)
            .load_balance_hosts(LoadBalanceHosts::Disable)
            .password(fs::read("test_data/password")?.trim_ascii_end())
            .port(5432)
            .ssl_mode(SslMode::Require)
            .target_session_attrs(TargetSessionAttrs::Any)
            .user(fs::read_to_string("test_data/user")?.trim_ascii_end())
            .connect(MakeTlsConnector::new(Arc::new(conf).into()));
        Builder::new_current_thread()
            .enable_all()
            .build()?
            .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) })
    }
}