add aws-lc-rs-fips feature, adjust sys dep

[cpu]

Previously we unconditionally used the aws-lc-sys and prebuilt-nasm features of the aws-lc-rs dep, meaning we always brought along aws-lc-sys (note the prebuilt-nasm feature customizes that dep).

However, when a user is looking for a FIPS crypto provider we want to avoid bringing in aws-lc-sys and instead use aws-lc-rs/fips to get aws-lc-fips-sys.

This commit makes the aws-lc-rs feature of webpki activate the "usual" config: aws-lc-rs/aws-lc-sys w/ aws-lc-rs/prebuilt-nasm to have aws-lc-sys with prebuilt assmebly to avoid the nasm dep.

A new aws-lc-rs-fips feature is added for webpki that activates the FIPS specific config: aws-lc-rs/fips. The aws-lc-sys and prebuilt-nasm features are not activated.

Updates #307

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.23%. Comparing base (dad66f2) to head (5fd8350).
Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #308   +/-   ##
=======================================
  Coverage   97.23%   97.23%           
=======================================
  Files          20       20           
  Lines        4225     4225           
=======================================
  Hits         4108     4108           
  Misses        117      117           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[djc]

LGTM!

[djc]

I think these changes are good. We could consider naming the feature aws-lc-rs-fips instead?

And, given we currently have a semver-incompatible version bump, switching from underscore to hyphen spelling which IIRC we decided ought to be the way forward?

[cpu]

I think these changes are good. We could consider naming the feature aws-lc-rs-fips instead?

SGTM. Updated the name throughout.

And, given we currently have a semver-incompatible version bump, switching from underscore to hyphen spelling which IIRC we decided ought to be the way forward?

Make sense. I broke that out as a separate commit up-front since it's a much more invasive diff. I also cherry-picked Ctz's version bump from #302 to make the semver check in CI happy.

Build+test (--no-default-features --features alloc,std,aws_lc_rs, stable, macos-latest) Expected

There will be a few CI jobs left stuck in 'expected' based on the aws_lc_rs -> aws-lc-rs rename in the title (I really hate this about GH branch protection rules....). Will need to admin merge & fix afterwards.

[djc]

(I really hate this about GH branch protection rules....)

It appears that GitHub has a newer way to set these up called rule sets, maybe that has gotten better at these kinds of things?

(Agreed that the disjointness of workflow job names and their protection status is pretty annoying.)

[ctz]

A couple of remaining aws_lc_rs feature mentions:

• the features table in the top-level crate comment (might be a good venue to mention aws-lc-rs was formerly aws_lc_rs?)
• the comment against ALL_VERIFICATION_ALGS

[cpu]

A couple of remaining aws_lc_rs feature mentions

Good catch, fixed up.

[cpu]

There will be a few CI jobs left stuck in 'expected' based on the aws_lc_rs -> aws-lc-rs rename in the title (I really hate this about GH branch protection rules....). Will need to admin merge & fix afterwards.

Fixed up.