Skip to content

test(rng): pin crypto-edge deterministic fingerprints#259

Merged
EffortlessSteven merged 1 commit into
mainfrom
rng-crypto-edge-guardrails
Mar 14, 2026
Merged

test(rng): pin crypto-edge deterministic fingerprints#259
EffortlessSteven merged 1 commit into
mainfrom
rng-crypto-edge-guardrails

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Add the first execution guardrails for the crypto-edge RNG convergence lane.

This does not move any dependencies yet. It strengthens the existing determinism regression suite so later convergence work has exact fixture-identity canaries for the crypto-edge outputs.

What changed

  • added blake3 to the integration test crate so regression tests can fingerprint DER output without snapshotting secret-shaped blobs
  • added deterministic fingerprint snapshots for:
    • RSA private/public DER
    • ECDSA P-256 private/public DER
    • ECDSA P-384 private/public DER
    • Ed25519 private/public DER
    • X.509 self-signed cert/key DER
    • X.509 chain leaf/intermediate/root cert DER and key DER
  • kept the new guardrails inside tests/determinism_regression.rs so the determinism contract stays in one place

Why

The workspace already had broad determinism coverage, but the remaining gap for the convergence lane was exact crypto-edge fixture identity pinning, especially around X.509 material. These snapshots give us before/after proof for later RNG-topology changes without committing PEM/DER blobs.

Verification

  • cargo test -p uselesskey-integration-tests --features determinism-regression --test determinism_regression
  • cargo test -p uselesskey-integration-tests --features determinism --test cross_crate_determinism
  • cargo xtask gate

Refs #257

@coderabbitai

coderabbitai Bot commented Mar 14, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 24 minutes and 23 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d2161460-b019-4fd4-8759-9b510d2c61ae

📥 Commits

Reviewing files that changed from the base of the PR and between 4b7ae7c and 47f0dd0.

⛔ Files ignored due to path filters (4)
  • Cargo.lock is excluded by !**/*.lock
  • tests/snapshots/determinism_regression__crypto_edge_key_fingerprints.snap is excluded by !**/*.snap
  • tests/snapshots/determinism_regression__x509_chain_fingerprints.snap is excluded by !**/*.snap
  • tests/snapshots/determinism_regression__x509_self_signed_fingerprints.snap is excluded by !**/*.snap
📒 Files selected for processing (2)
  • tests/Cargo.toml
  • tests/determinism_regression.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch rng-crypto-edge-guardrails
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist

Copy link
Copy Markdown

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes critical guardrails for the crypto-edge Random Number Generator (RNG) convergence lane by enhancing the existing determinism regression suite. It introduces exact fixture-identity canaries for cryptographic outputs, particularly focusing on X.509 material, using BLAKE3 hashes instead of direct blob snapshots. This foundational work ensures that future changes to the RNG topology can be rigorously validated against known deterministic outputs, providing a robust mechanism for verifying consistency and preventing regressions.

Highlights

  • Dependency Addition: The blake3 hashing library was added to the integration test crate to enable deterministic fingerprinting of cryptographic outputs.
  • Deterministic Fingerprint Snapshots: New snapshot tests were introduced to capture deterministic fingerprints for various crypto-edge materials, including RSA, ECDSA P-256, ECDSA P-384, Ed25519 private/public DER, X.509 self-signed cert/key DER, and X.509 chain leaf/intermediate/root cert/key DER.
  • Test Organization: All new determinism guardrails and related tests were consolidated within tests/determinism_regression.rs to maintain a single location for the determinism contract.
Changelog
  • Cargo.lock
    • Updated the lock file to include the new blake3 dependency for the uselesskey-integration-tests crate.
  • tests/Cargo.toml
    • Added blake3 as a workspace dependency for the integration test crate.
  • tests/determinism_regression.rs
    • Imported the serde::Serialize trait for data serialization.
    • Implemented a blake3_hex helper function to generate BLAKE3 hashes of byte slices.
    • Defined new serializable structs (KeyMaterialFingerprint, X509MaterialFingerprint, CryptoEdgeKeyFingerprints, X509ChainFingerprint) to structure cryptographic material fingerprints.
    • Added a new test seed_stability_crypto_edge_key_fingerprints to snapshot BLAKE3 hashes and lengths of RSA, ECDSA P-256, ECDSA P-384, and Ed25519 private/public DERs.
    • Added a new test x509_self_signed_fingerprints_snapshot to snapshot BLAKE3 hashes, lengths, and PEM headers for X.509 self-signed certificates and their private keys.
    • Added a new test x509_chain_fingerprints_snapshot to snapshot BLAKE3 hashes, lengths, and certificate counts for X.509 certificate chains (leaf, intermediate, root certificates and their keys).
  • tests/snapshots/determinism_regression__crypto_edge_key_fingerprints.snap
    • Added a new snapshot file containing deterministic fingerprints for various crypto-edge key types (RSA, ECDSA P-256, P-384, Ed25519).
  • tests/snapshots/determinism_regression__x509_chain_fingerprints.snap
    • Added a new snapshot file containing deterministic fingerprints for X.509 certificate chain components.
  • tests/snapshots/determinism_regression__x509_self_signed_fingerprints.snap
    • Added a new snapshot file containing deterministic fingerprints for X.509 self-signed certificates.
Activity
  • No human activity (comments, reviews) has been recorded on this pull request yet.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request strengthens the determinism regression tests by adding fingerprint snapshots for various cryptographic artifacts, which is a great step towards ensuring stability. My review focuses on improving the efficiency and readability of the new test functions by avoiding redundant computations. The changes are otherwise solid and well-aligned with the project's goals.

Comment on lines +220 to +253
let snapshot = CryptoEdgeKeyFingerprints {
rsa: KeyMaterialFingerprint {
label: "fingerprint-rsa",
private_der_len: rsa.private_key_pkcs8_der().len(),
private_der_blake3: blake3_hex(rsa.private_key_pkcs8_der()),
public_der_len: rsa.public_key_spki_der().len(),
public_der_blake3: blake3_hex(rsa.public_key_spki_der()),
kid: rsa.kid(),
},
ecdsa_p256: KeyMaterialFingerprint {
label: "fingerprint-ecdsa-p256",
private_der_len: ecdsa_p256.private_key_pkcs8_der().len(),
private_der_blake3: blake3_hex(ecdsa_p256.private_key_pkcs8_der()),
public_der_len: ecdsa_p256.public_key_spki_der().len(),
public_der_blake3: blake3_hex(ecdsa_p256.public_key_spki_der()),
kid: ecdsa_p256.kid(),
},
ecdsa_p384: KeyMaterialFingerprint {
label: "fingerprint-ecdsa-p384",
private_der_len: ecdsa_p384.private_key_pkcs8_der().len(),
private_der_blake3: blake3_hex(ecdsa_p384.private_key_pkcs8_der()),
public_der_len: ecdsa_p384.public_key_spki_der().len(),
public_der_blake3: blake3_hex(ecdsa_p384.public_key_spki_der()),
kid: ecdsa_p384.kid(),
},
ed25519: KeyMaterialFingerprint {
label: "fingerprint-ed25519",
private_der_len: ed25519.private_key_pkcs8_der().len(),
private_der_blake3: blake3_hex(ed25519.private_key_pkcs8_der()),
public_der_len: ed25519.public_key_spki_der().len(),
public_der_blake3: blake3_hex(ed25519.public_key_spki_der()),
kid: ed25519.kid(),
},
};

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To improve efficiency and readability, it's better to call the key serialization functions (e.g., private_key_pkcs8_der()) only once per key and store their results in local variables. This avoids repeated, potentially expensive computations for each key type.

    let rsa_private_der = rsa.private_key_pkcs8_der();
    let rsa_public_der = rsa.public_key_spki_der();
    let ecdsa_p256_private_der = ecdsa_p256.private_key_pkcs8_der();
    let ecdsa_p256_public_der = ecdsa_p256.public_key_spki_der();
    let ecdsa_p384_private_der = ecdsa_p384.private_key_pkcs8_der();
    let ecdsa_p384_public_der = ecdsa_p384.public_key_spki_der();
    let ed25519_private_der = ed25519.private_key_pkcs8_der();
    let ed25519_public_der = ed25519.public_key_spki_der();

    let snapshot = CryptoEdgeKeyFingerprints {
        rsa: KeyMaterialFingerprint {
            label: "fingerprint-rsa",
            private_der_len: rsa_private_der.len(),
            private_der_blake3: blake3_hex(rsa_private_der),
            public_der_len: rsa_public_der.len(),
            public_der_blake3: blake3_hex(rsa_public_der),
            kid: rsa.kid(),
        },
        ecdsa_p256: KeyMaterialFingerprint {
            label: "fingerprint-ecdsa-p256",
            private_der_len: ecdsa_p256_private_der.len(),
            private_der_blake3: blake3_hex(ecdsa_p256_private_der),
            public_der_len: ecdsa_p256_public_der.len(),
            public_der_blake3: blake3_hex(ecdsa_p256_public_der),
            kid: ecdsa_p256.kid(),
        },
        ecdsa_p384: KeyMaterialFingerprint {
            label: "fingerprint-ecdsa-p384",
            private_der_len: ecdsa_p384_private_der.len(),
            private_der_blake3: blake3_hex(ecdsa_p384_private_der),
            public_der_len: ecdsa_p384_public_der.len(),
            public_der_blake3: blake3_hex(ecdsa_p384_public_der),
            kid: ecdsa_p384.kid(),
        },
        ed25519: KeyMaterialFingerprint {
            label: "fingerprint-ed25519",
            private_der_len: ed25519_private_der.len(),
            private_der_blake3: blake3_hex(ed25519_private_der),
            public_der_len: ed25519_public_der.len(),
            public_der_blake3: blake3_hex(ed25519_public_der),
            kid: ed25519.kid(),
        },
    };

Comment on lines +875 to +882
let snapshot = X509MaterialFingerprint {
label: "x509-fingerprint",
cert_der_len: cert.cert_der().len(),
cert_der_blake3: blake3_hex(cert.cert_der()),
key_der_len: cert.private_key_pkcs8_der().len(),
key_der_blake3: blake3_hex(cert.private_key_pkcs8_der()),
cert_pem_header: pem_header(cert.cert_pem()).to_string(),
};

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To improve efficiency and readability, it's better to call cert_der() and private_key_pkcs8_der() only once and store their results in local variables.

Suggested change
let snapshot = X509MaterialFingerprint {
label: "x509-fingerprint",
cert_der_len: cert.cert_der().len(),
cert_der_blake3: blake3_hex(cert.cert_der()),
key_der_len: cert.private_key_pkcs8_der().len(),
key_der_blake3: blake3_hex(cert.private_key_pkcs8_der()),
cert_pem_header: pem_header(cert.cert_pem()).to_string(),
};
let cert_der = cert.cert_der();
let key_der = cert.private_key_pkcs8_der();
let snapshot = X509MaterialFingerprint {
label: "x509-fingerprint",
cert_der_len: cert_der.len(),
cert_der_blake3: blake3_hex(cert_der),
key_der_len: key_der.len(),
key_der_blake3: blake3_hex(key_der),
cert_pem_header: pem_header(cert.cert_pem()).to_string(),
};

Comment on lines +947 to +959
let snapshot = X509ChainFingerprint {
label: "x509-chain-fingerprint",
chain_pem_cert_count: chain.chain_pem().matches("BEGIN CERTIFICATE").count(),
leaf_cert_der_len: chain.leaf_cert_der().len(),
leaf_cert_der_blake3: blake3_hex(chain.leaf_cert_der()),
intermediate_cert_der_len: chain.intermediate_cert_der().len(),
intermediate_cert_der_blake3: blake3_hex(chain.intermediate_cert_der()),
root_cert_der_len: chain.root_cert_der().len(),
root_cert_der_blake3: blake3_hex(chain.root_cert_der()),
leaf_key_der_blake3: blake3_hex(chain.leaf_private_key_pkcs8_der()),
intermediate_key_der_blake3: blake3_hex(chain.intermediate_private_key_pkcs8_der()),
root_key_der_blake3: blake3_hex(chain.root_private_key_pkcs8_der()),
};

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To improve efficiency and readability, it's better to call the various *_der() and *_pem() methods only once and store their results in local variables before creating the snapshot struct.

    let chain_pem = chain.chain_pem();
    let leaf_cert_der = chain.leaf_cert_der();
    let intermediate_cert_der = chain.intermediate_cert_der();
    let root_cert_der = chain.root_cert_der();
    let leaf_key_der = chain.leaf_private_key_pkcs8_der();
    let intermediate_key_der = chain.intermediate_private_key_pkcs8_der();
    let root_key_der = chain.root_private_key_pkcs8_der();

    let snapshot = X509ChainFingerprint {
        label: "x509-chain-fingerprint",
        chain_pem_cert_count: chain_pem.matches("BEGIN CERTIFICATE").count(),
        leaf_cert_der_len: leaf_cert_der.len(),
        leaf_cert_der_blake3: blake3_hex(leaf_cert_der),
        intermediate_cert_der_len: intermediate_cert_der.len(),
        intermediate_cert_der_blake3: blake3_hex(intermediate_cert_der),
        root_cert_der_len: root_cert_der.len(),
        root_cert_der_blake3: blake3_hex(root_cert_der),
        leaf_key_der_blake3: blake3_hex(leaf_key_der),
        intermediate_key_der_blake3: blake3_hex(intermediate_key_der),
        root_key_der_blake3: blake3_hex(root_key_der),
    };

@EffortlessSteven EffortlessSteven merged commit eed81c5 into main Mar 14, 2026
4 checks passed
@EffortlessSteven EffortlessSteven deleted the rng-crypto-edge-guardrails branch March 14, 2026 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant