fix: non-FIPS deterministic build

.github/scripts/common.sh

@@ -136,8 +136,8 @@ ensure_macos_frameworks_ldflags() {
 
 # Unified nixpkgs pin (used by all scripts)
 # Keep a single source of truth for the pinned nixpkgs URL.
-# Pin nixpkgs for a stable toolchain; Linux builds target GLIBC <= 2.34.
-export PIN_URL="https://github.com/NixOS/nixpkgs/archive/24.11.tar.gz"
+# IMPORTANT: Use an immutable commit tarball to ensure builds are deterministic across machines.
+export PIN_URL="https://github.com/NixOS/nixpkgs/archive/8b27c1239e5c421a2bbc2c65d52e4a6fbf2ff296.tar.gz"
 # Backward-compatible alias used by some scripts
 export PINNED_NIXPKGS_URL="$PIN_URL"
 

.github/scripts/nix.sh

@@ -58,9 +58,6 @@ usage() {
     -l, --link <static|dynamic>     OpenSSL linkage type (default: static)
                     static: statically link OpenSSL 3.6.0
                     dynamic: dynamically link system OpenSSL
-    --enforce-deterministic-hash <true|false>
-                    When true, enforce expected hashes (fail on mismatch).
-                    When false (default), relax expected-hash enforcement.
 
   For testing, also supports environment variables:
     REDIS_HOST, REDIS_PORT
@@ -163,7 +160,6 @@ parse_global_options() {
   PROFILE="debug"
   VARIANT="fips"
   LINK="static"
-  ENFORCE_DETERMINISTIC_HASH="false"
 
   # Parse global options before the subcommand
   while [ $# -gt 0 ]; do
@@ -182,10 +178,6 @@ parse_global_options() {
       LINK_EXPLICIT=1
       shift 2 || true
       ;;
-    --enforce-deterministic-hash | --enforce_deterministic_hash)
-      ENFORCE_DETERMINISTIC_HASH="${2:-}"
-      shift 2 || true
-      ;;
     docker | test | package | sbom | update-hashes)
       COMMAND="$1"
       shift
@@ -208,17 +200,7 @@ parse_global_options() {
   # Validate command argument
   [ -z "${COMMAND:-}" ] && usage
 
-  # Normalize boolean-ish inputs
-  case "${ENFORCE_DETERMINISTIC_HASH}" in
-  true | TRUE | 1) ENFORCE_DETERMINISTIC_HASH="true" ;;
-  false | FALSE | 0 | "") ENFORCE_DETERMINISTIC_HASH="false" ;;
-  *)
-    echo "Error: --enforce-deterministic-hash must be true/false" >&2
-    exit 1
-    ;;
-  esac
-
-  export PROFILE VARIANT LINK ENFORCE_DETERMINISTIC_HASH
+  export PROFILE VARIANT LINK
   REMAINING_ARGS=("$@")
 }
 
@@ -695,7 +677,7 @@ package_command() {
       echo "Note: Building DMG via nix-shell to allow macOS system tools (cargo-packager path)."
       # shellcheck disable=SC2086
       nix-shell -I "nixpkgs=${PIN_URL}" $KEEP_VARS --argstr variant "$VARIANT" "$REPO_ROOT/shell.nix" \
-        --run "ENFORCE_DETERMINISTIC_HASH='${ENFORCE_DETERMINISTIC_HASH}' bash '$SCRIPT' --variant '$VARIANT' --link '$LINK' --enforce-deterministic-hash '${ENFORCE_DETERMINISTIC_HASH}'"
+        --run "bash '$SCRIPT' --variant '$VARIANT' --link '$LINK'"
       OUT_DIR="$REPO_ROOT/result-dmg-$VARIANT-$LINK"
       dmg_file=$(find "$OUT_DIR" -maxdepth 1 -type f -name '*.dmg' | head -n1 || true)
       if [ -n "${dmg_file:-}" ] && [ -f "$dmg_file" ]; then
@@ -750,7 +732,7 @@ package_command() {
               echo "Missing $SCRIPT_LINUX" >&2
               exit 1
             }
-            nix-shell -I "nixpkgs=${NIXPKGS_ARG}" -p curl --run "ENFORCE_DETERMINISTIC_HASH='${ENFORCE_DETERMINISTIC_HASH}' bash '$SCRIPT_LINUX' --variant '$BUILD_VARIANT' --link '$BUILD_LINK' --enforce-deterministic-hash '${ENFORCE_DETERMINISTIC_HASH}'"
+            nix-shell -I "nixpkgs=${NIXPKGS_ARG}" -p curl --run "bash '$SCRIPT_LINUX' --variant '$BUILD_VARIANT' --link '$BUILD_LINK'"
             REAL_OUT="$REPO_ROOT/result-deb-$BUILD_VARIANT-$BUILD_LINK"
             echo "Built deb ($BUILD_VARIANT-$BUILD_LINK): $REAL_OUT"
 
@@ -783,7 +765,7 @@ package_command() {
               echo "Missing $SCRIPT_LINUX" >&2
               exit 1
             }
-            nix-shell -I "nixpkgs=${NIXPKGS_ARG}" -p curl --run "ENFORCE_DETERMINISTIC_HASH='${ENFORCE_DETERMINISTIC_HASH}' bash '$SCRIPT_LINUX' --variant '$BUILD_VARIANT' --link '$BUILD_LINK' --enforce-deterministic-hash '${ENFORCE_DETERMINISTIC_HASH}'"
+            nix-shell -I "nixpkgs=${NIXPKGS_ARG}" -p curl --run "bash '$SCRIPT_LINUX' --variant '$BUILD_VARIANT' --link '$BUILD_LINK'"
             REAL_OUT="$REPO_ROOT/result-rpm-$BUILD_VARIANT-$BUILD_LINK"
             echo "Built rpm ($BUILD_VARIANT-$BUILD_LINK): $REAL_OUT"
 
@@ -822,7 +804,7 @@ package_command() {
             ATTR="kms-server-${BUILD_VARIANT}-dmg"
             OUT_LINK="$REPO_ROOT/result-dmg-$BUILD_VARIANT-$BUILD_LINK"
           fi
-          nix-build -I "nixpkgs=${NIXPKGS_ARG}" --arg enforceDeterministicHash "$ENFORCE_DETERMINISTIC_HASH" "$REPO_ROOT/default.nix" -A "$ATTR" -o "$OUT_LINK"
+          nix-build -I "nixpkgs=${NIXPKGS_ARG}" "$REPO_ROOT/default.nix" -A "$ATTR" -o "$OUT_LINK"
           REAL_OUT=$(readlink -f "$OUT_LINK" || echo "$OUT_LINK")
           echo "Built dmg ($BUILD_VARIANT-$BUILD_LINK): $REAL_OUT"
 

.github/scripts/smoke_test_dmg.sh

@@ -161,10 +161,26 @@ if [ "$IS_FIPS" = true ]; then
   ENV_OPENSSL_MODULES="$CHECK_DIR/usr/local/cosmian/lib/ossl-modules"
 fi
 
+# For non-FIPS builds, set OPENSSL_MODULES to point to bundled provider modules
+# so the legacy provider can be loaded during smoke test execution.
+if [ "$IS_FIPS" != true ]; then
+  NON_FIPS_OSSL_MODULES="$CHECK_DIR/usr/local/cosmian/lib/ossl-modules"
+  if [ -d "$NON_FIPS_OSSL_MODULES" ]; then
+    ENV_OPENSSL_MODULES="$NON_FIPS_OSSL_MODULES"
+  fi
+  NON_FIPS_OSSL_CONF="$CHECK_DIR/usr/local/cosmian/lib/ssl/openssl.cnf"
+  if [ -f "$NON_FIPS_OSSL_CONF" ]; then
+    ENV_OPENSSL_CONF="$NON_FIPS_OSSL_CONF"
+  fi
+fi
+
 # Use `env` to set variables for the run
 CMD=("$BINARY_PATH" --version)
-if [ "$IS_FIPS" = true ]; then
-  VERSION_OUTPUT=$(env OPENSSL_CONF="$ENV_OPENSSL_CONF" OPENSSL_MODULES="$ENV_OPENSSL_MODULES" "${CMD[@]}" 2>&1 || true)
+if [ -n "$ENV_OPENSSL_CONF" ] || [ -n "$ENV_OPENSSL_MODULES" ]; then
+  ENV_ARGS=()
+  [ -n "$ENV_OPENSSL_CONF" ] && ENV_ARGS+=(OPENSSL_CONF="$ENV_OPENSSL_CONF")
+  [ -n "$ENV_OPENSSL_MODULES" ] && ENV_ARGS+=(OPENSSL_MODULES="$ENV_OPENSSL_MODULES")
+  VERSION_OUTPUT=$(env "${ENV_ARGS[@]}" "${CMD[@]}" 2>&1 || true)
 else
   VERSION_OUTPUT=$("${CMD[@]}" 2>&1 || true)
 fi
@@ -183,8 +199,11 @@ info "\xe2\x9c\x93 Binary executed successfully"
 # - FIPS dynamic builds bundle 3.1.2 runtime libs to match the FIPS provider
 EXPECTED_VER="3.6.0"
 info "Verifying OpenSSL runtime version (expected ${EXPECTED_VER})…"
-if [ "$IS_FIPS" = true ]; then
-  INFO_CMD=(env OPENSSL_CONF="$ENV_OPENSSL_CONF" OPENSSL_MODULES="$ENV_OPENSSL_MODULES" "$BINARY_PATH" --info)
+if [ -n "$ENV_OPENSSL_CONF" ] || [ -n "$ENV_OPENSSL_MODULES" ]; then
+  INFO_CMD=(env)
+  [ -n "$ENV_OPENSSL_CONF" ] && INFO_CMD+=(OPENSSL_CONF="$ENV_OPENSSL_CONF")
+  [ -n "$ENV_OPENSSL_MODULES" ] && INFO_CMD+=(OPENSSL_MODULES="$ENV_OPENSSL_MODULES")
+  INFO_CMD+=("$BINARY_PATH" --info)
 else
   INFO_CMD=("$BINARY_PATH" --info)
 fi

.github/scripts/test_hsm_utimaco.sh

@@ -63,7 +63,7 @@ UTIMACO_LIB_DIR="$(dirname "$UTIMACO_PKCS11_LIB")"
 
 # Utimaco integration test (KMS)
 
-env -u LD_PRELOAD -u OPENSSL_CONF -u OPENSSL_MODULES \
+env -u LD_PRELOAD \
   PATH="$PATH" \
   LD_LIBRARY_PATH="${UTIMACO_LIB_DIR}:${NIX_OPENSSL_OUT:+$NIX_OPENSSL_OUT/lib:}${LD_LIBRARY_PATH:-}" \
   HSM_MODEL="utimaco" \
@@ -80,7 +80,7 @@ env -u LD_PRELOAD -u OPENSSL_CONF -u OPENSSL_MODULES \
 
 # Utimaco loader test (pure Nix, scoped runtime)
 
-env -u LD_PRELOAD -u OPENSSL_CONF -u OPENSSL_MODULES \
+env -u LD_PRELOAD \
   PATH="$PATH" \
   LD_LIBRARY_PATH="${UTIMACO_LIB_DIR}:${NIX_OPENSSL_OUT:+$NIX_OPENSSL_OUT/lib:}${LD_LIBRARY_PATH:-}" \
   HSM_MODEL="utimaco" \
@@ -98,7 +98,7 @@ env -u LD_PRELOAD -u OPENSSL_CONF -u OPENSSL_MODULES \
 # Optionally run Google CSE CLI tests if environment is provided
 if [ -n "${TEST_GOOGLE_OAUTH_CLIENT_ID:-}" ] && [ -n "${TEST_GOOGLE_OAUTH_CLIENT_SECRET:-}" ] && [ -n "${TEST_GOOGLE_OAUTH_REFRESH_TOKEN:-}" ]; then
   # shellcheck disable=SC2086
-  env -u LD_PRELOAD -u OPENSSL_CONF -u OPENSSL_MODULES "PATH=$PATH" \
+  env -u LD_PRELOAD "PATH=$PATH" \
     LD_LIBRARY_PATH="${UTIMACO_LIB_DIR}:${NIX_OPENSSL_OUT:+$NIX_OPENSSL_OUT/lib:}${LD_LIBRARY_PATH:-}" \
     HSM_MODEL="utimaco" \
     HSM_USER_PASSWORD="$HSM_USER_PASSWORD" \
@@ -114,7 +114,7 @@ if [ -n "${TEST_GOOGLE_OAUTH_CLIENT_ID:-}" ] && [ -n "${TEST_GOOGLE_OAUTH_CLIENT
     -- --nocapture kmip_2_1_xml_pkcs11_m_1_21 --ignored
 
   # shellcheck disable=SC2086
-  env -u LD_PRELOAD -u OPENSSL_CONF -u OPENSSL_MODULES "PATH=$PATH" \
+  env -u LD_PRELOAD "PATH=$PATH" \
     LD_LIBRARY_PATH="${UTIMACO_LIB_DIR}:${NIX_OPENSSL_OUT:+$NIX_OPENSSL_OUT/lib:}${LD_LIBRARY_PATH:-}" \
     HSM_MODEL="utimaco" \
     HSM_USER_PASSWORD="$HSM_USER_PASSWORD" \

.github/scripts/test_otel_export.sh

@@ -1,7 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-
 SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
 source "$SCRIPT_DIR/common.sh"
 

.github/scripts/test_pykmip.sh

@@ -21,9 +21,12 @@ FEATURES_FLAG=(--features non-fips)
 : "${COSMIAN_KMS_CONF:=$REPO_ROOT/scripts/kms.toml}"
 export COSMIAN_KMS_CONF
 
-# Ensure Python's ssl module can initialize: avoid custom OpenSSL config used by Rust OpenSSL.
-# Do NOT clear LD_LIBRARY_PATH; keep Nix-provided runtime consistent to avoid GLIBC mismatches.
-unset OPENSSL_CONF OPENSSL_MODULES || true
+# Note: OPENSSL_CONF and OPENSSL_MODULES are intentionally kept set here so the KMS
+# server process can find the OpenSSL providers (e.g. legacy.dylib) in the Nix store.
+# The compiled-in MODULESDIR is /usr/local/cosmian/lib/ossl-modules (production path),
+# which does not exist in the nix-shell dev environment.
+# All Python invocations below already use `env -u OPENSSL_CONF -u OPENSSL_MODULES`
+# to isolate Python's ssl module from the Rust/KMS OpenSSL configuration.
 
 # Ensure Python is available (nix.sh sets WITH_PYTHON=1 which adds python311 + virtualenv)
 require_cmd python3 "Python 3 is required. Re-run via 'bash .github/scripts/nix.sh test pykmip' so nix-shell can provide it."

.github/scripts/update_hashes.sh

@@ -88,6 +88,7 @@ if [ -z "$RUN_ID" ]; then
 
   # Fetch recent workflow runs on this branch.
   # Prefer failures (likely hash mismatches), then fall back to the newest completed run.
+  # shellcheck disable=SC2016  # $runs is a jq variable, not a shell variable
   RUN_ID=$(gh run list --branch "$CURRENT_BRANCH" --limit 50 --json databaseId,status,conclusion \
     --jq 'map(select(.status=="completed" and .conclusion != "cancelled")) as $runs |
           ($runs | map(select(.conclusion=="failure")) | .[0].databaseId) // ($runs | .[0].databaseId)')
@@ -205,34 +206,19 @@ while IFS=$'\t' read -r JOB_ID JOB_NAME; do
         elif [[ "$last_drv_name" =~ ui-wasm-non-fips.*-vendor ]]; then
           target_file="$EXPECTED_DIR/ui.vendor.non-fips.sha256"
         # Server vendor (Cargo vendoring). Derivation names do not reliably include platform/linkage;
-        # infer those from the GitHub Actions job name.
+        # infer linkage from the GitHub Actions job name. Linux and Darwin share the same hash files.
         elif [[ "$last_drv_name" =~ (kms-server|server).*vendor|(^|-)vendor($|-) ]]; then
-          if [[ "$JOB_NAME" == *"macos"* ]] || [[ "$JOB_NAME" == *"darwin"* ]]; then
-            if [[ "$JOB_NAME" == *"static"* ]]; then
-              target_file="$EXPECTED_DIR/server.vendor.static.darwin.sha256"
-            elif [[ "$JOB_NAME" == *"dynamic"* ]]; then
-              target_file="$EXPECTED_DIR/server.vendor.dynamic.darwin.sha256"
-            else
-              FILE_TO_HASH["$EXPECTED_DIR/server.vendor.static.darwin.sha256"]="$got_hash"
-              FILE_TO_HASH["$EXPECTED_DIR/server.vendor.dynamic.darwin.sha256"]="$got_hash"
-              echo "  Found hash for $EXPECTED_DIR/server.vendor.static.darwin.sha256: $got_hash"
-              echo "  Found hash for $EXPECTED_DIR/server.vendor.dynamic.darwin.sha256: $got_hash"
-              target_file=""
-            fi
+          if [[ "$JOB_NAME" == *"dynamic"* ]]; then
+            target_file="$EXPECTED_DIR/server.vendor.dynamic.sha256"
+          elif [[ "$JOB_NAME" == *"static"* ]] || [[ "$JOB_NAME" == *"docker"* ]]; then
+            target_file="$EXPECTED_DIR/server.vendor.static.sha256"
           else
-            # Linux server vendor hashes are tracked per linkage mode.
             # Docker packaging builds are always static-linked.
-            if [[ "$JOB_NAME" == *"dynamic"* ]]; then
-              target_file="$EXPECTED_DIR/server.vendor.dynamic.linux.sha256"
-            elif [[ "$JOB_NAME" == *"static"* ]] || [[ "$JOB_NAME" == *"docker"* ]]; then
-              target_file="$EXPECTED_DIR/server.vendor.static.linux.sha256"
-            else
-              FILE_TO_HASH["$EXPECTED_DIR/server.vendor.static.linux.sha256"]="$got_hash"
-              FILE_TO_HASH["$EXPECTED_DIR/server.vendor.dynamic.linux.sha256"]="$got_hash"
-              echo "  Found hash for $EXPECTED_DIR/server.vendor.static.linux.sha256: $got_hash"
-              echo "  Found hash for $EXPECTED_DIR/server.vendor.dynamic.linux.sha256: $got_hash"
-              target_file=""
-            fi
+            FILE_TO_HASH["$EXPECTED_DIR/server.vendor.static.sha256"]="$got_hash"
+            FILE_TO_HASH["$EXPECTED_DIR/server.vendor.dynamic.sha256"]="$got_hash"
+            echo "  Found hash for $EXPECTED_DIR/server.vendor.static.sha256: $got_hash"
+            echo "  Found hash for $EXPECTED_DIR/server.vendor.dynamic.sha256: $got_hash"
+            target_file=""
           fi
         fi
 

.github/workflows/packaging.yml

@@ -8,10 +8,6 @@ on:
         required: true
         type: string
         default: 1.90.0
-      enforceDeterministicHash:
-        required: false
-        type: boolean
-        default: false
 
 jobs:
   windows-package:
@@ -57,7 +53,7 @@ jobs:
 
       - name: Package with GPG signature
         run: |
-          bash .github/scripts/nix.sh --profile release --variant ${{ matrix.features }} --link ${{ matrix.link }} --enforce-deterministic-hash ${{ inputs.enforceDeterministicHash }} package
+          bash .github/scripts/nix.sh --profile release --variant ${{ matrix.features }} --link ${{ matrix.link }} package
         env:
           GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
           GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}

.github/workflows/pr.yml

@@ -14,5 +14,3 @@ jobs:
     secrets: inherit
     with:
       toolchain: 1.90.0
-      enforceDeterministicHash: ${{ startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/heads/release/') || startsWith(github.head_ref,
-        'release/') || startsWith(github.base_ref, 'release/') }}

CHANGELOG.md

@@ -7,6 +7,36 @@ All notable changes to this project will be documented in this file.
 ### 🐛 Bug Fixes
 
 - Add MLKEM algorithms to the predefined DEFAULT KMIP policy
+- Fix non-FIPS `openssl.cnf` provider configuration: the FIPS provider was incorrectly
+  activated in non-FIPS builds via `nix/openssl.nix`, blocking default-provider algorithms
+  (ChaCha20, secp256k1) and causing 6 crypto test failures. `nix/openssl.nix` now generates
+  distinct provider configurations per build variant: FIPS builds use `fips+base`, non-FIPS
+  builds use `default+legacy+base`.
+- Fix `KResultHelper` import in `main.rs` being feature-gated to `non-fips` only, causing a
+  missing `.context()` method on `init_openssl_providers()` result in FIPS builds.
+
+### ⚙️ Build
+
+- Refactor OpenSSL provider management into a dedicated `openssl_providers` module in
+  `crate/server/src/`, consolidating `safe_openssl_version_info()`, `init_openssl_providers()`
+  (production), and `init_openssl_providers_for_tests()` (test environments) into a single place.
+- Improve determinism of `nix/openssl.nix` OpenSSL builds:
+    - Patch `ENGINESDIR`/`MODULESDIR` in the generated Makefile to fixed
+      `/usr/local/cosmian/lib/...` paths, preventing Nix store path embedding in compiled
+      `libcrypto` strings.
+    - Scrub Nix store paths from `crypto/buildinf.h` after `make depend`.
+    - Set `SOURCE_DATE_EPOCH=1` and `ZERO_AR_DATE=1` in build and install phases.
+    - Normalize all output file timestamps with `find $out -exec touch --date=@1 {} +`.
+
+### ⚙️ Build
+
+- Non-FIPS Nix Linux builds are now bit-for-bit reproducible (`nix-build --check` passes for all four Linux variants: FIPS/non-FIPS × static/dynamic OpenSSL):
+    - Removed `${toString ../.}` from RUSTFLAGS `-C remap-path-prefix` — it embedded the machine-specific workspace path into the derivation, causing cross-machine hash divergence.
+    - Added `-C strip=symbols` and `-C symbol-mangling-version=v0` to strip residual host-path artefacts from symbol tables.
+    - Scrub the Nix-store path from OpenSSL's `buildinf.h` at build time so the OpenSSL derivation hash is identical across machines.
+- Pin all `builtins.fetchTarball` calls in `default.nix` with explicit `sha256` hashes (nixpkgs 24.11, rust-overlay, nixpkgs 22.05) — eliminates Nix-version-sensitive evaluation impurity and removes the `NIXPKGS_GLIBC_234_URL` environment variable override.
+- Non-FIPS Docker image now ships OpenSSL 3.6.0 provider modules (`legacy.so`, `openssl.cnf`) and sets `OPENSSL_CONF`/`OPENSSL_MODULES` environment variables, matching the FIPS image layout.
+- macOS packaging fixes in `nix/scripts/package_dmg.sh` and related CI scripts.
 
 ## [5.16.0] - 2026-02-04
 

crate/cli/src/tests/kms/certificates/export.rs

@@ -21,7 +21,7 @@ use openssl::{
     x509::{X509, store::X509StoreBuilder},
 };
 use tempfile::TempDir;
-use test_kms_server::start_default_test_kms_server;
+use test_kms_server::{init_openssl_providers_for_tests, start_default_test_kms_server};
 use uuid::Uuid;
 
 use crate::{
@@ -39,6 +39,8 @@ use crate::{
 #[tokio::test]
 async fn test_import_export_p12_25519() -> KmsCliResult<()> {
     log_init(option_env!("RUST_LOG"));
+    init_openssl_providers_for_tests();
+
     // load the PKCS#12 file
     let p12_bytes =
         include_bytes!("../../../../../../test_data/certificates/another_p12/ed25519.p12");
@@ -221,6 +223,8 @@ async fn test_import_export_p12_25519() -> KmsCliResult<()> {
 
 #[tokio::test]
 async fn test_import_p12_rsa() {
+    init_openssl_providers_for_tests();
+
     let tmp_dir = TempDir::new().unwrap();
     let tmp_path = tmp_dir.path();
     // load the PKCS#12 file
@@ -415,6 +419,8 @@ async fn test_self_signed_export_loop() -> KmsCliResult<()> {
 
 #[tokio::test]
 async fn test_export_root_and_intermediate_pkcs12() -> KmsCliResult<()> {
+    init_openssl_providers_for_tests();
+
     // Create a test server
     let ctx = start_default_test_kms_server().await;
 
@@ -475,6 +481,8 @@ async fn test_export_root_and_intermediate_pkcs12() -> KmsCliResult<()> {
 
 #[tokio::test]
 async fn test_export_import_legacy_p12() -> KmsCliResult<()> {
+    init_openssl_providers_for_tests();
+
     // Create a test server
     let ctx = start_default_test_kms_server().await;
 

crate/server/Cargo.toml

@@ -86,6 +86,7 @@ num-bigint-dig = { workspace = true, features = [
     "zeroize",
 ] }
 openssl = { workspace = true }
+openssl-sys = "0.9"
 opentelemetry = { workspace = true }
 opentelemetry-otlp = { workspace = true }
 opentelemetry_sdk = { workspace = true }

crate/server/src/config/command_line/logging.rs

@@ -3,7 +3,7 @@ use std::path::PathBuf;
 use clap::Args;
 use serde::{Deserialize, Serialize};
 
-#[expect(clippy::struct_excessive_bools)]
+#[allow(clippy::struct_excessive_bools)]
 #[derive(Debug, Default, Args, Deserialize, Serialize, Clone)]
 #[serde(default)]
 pub struct LoggingConfig {