Skip to content

test(rsa): cover mismatch variant identity and JWKS embed#734

Merged
EffortlessSteven merged 2 commits into
mainfrom
claude/coverage-rsa-extra-coverage-E47b2
May 16, 2026
Merged

test(rsa): cover mismatch variant identity and JWKS embed#734
EffortlessSteven merged 2 commits into
mainfrom
claude/coverage-rsa-extra-coverage-E47b2

Conversation

@EffortlessSteven

@EffortlessSteven EffortlessSteven commented May 16, 2026

Copy link
Copy Markdown
Member

Summary

Pivots this PR away from derive/shape pins (the pattern the maintainer flagged on the parallel ECDSA PR #735) toward behavioural fixture contracts, mirroring what landed in #738.

Tests-only — no production code changes.

Behavioural pins

  • mismatched_public_key_is_deterministic_across_factories — bytes are stable across separate factories, not just within one factory's cache.
  • repeated_mismatch_calls_return_identical_bytes — pins that the "mismatch" variant is cached, not regenerated per call.
  • distinct_labels_produce_distinct_mismatched_keys — variant entropy flows through label; the variant string itself is shared.
  • mismatched_key_is_different_from_original_public_key — pins the negative-fixture contract on the keypair's own SPKI.
  • mismatched_key_parses_as_rsa_spki — kills a hypothetical "swap key type" mutant on the variant load path by parsing the mismatched SPKI through the rsa crate.
  • jwk_components_have_no_base64_paddingn/e/d use base64url no-pad.
  • jwks_embedded_kid_matches_standalone_kid — kid stays consistent between the standalone kid() accessor and the JWKS-wrapped form.
  • jwks_public_entry_preserves_metadata_and_omits_private_dkty/use/alg survive, d is absent.
  • domain_rsa_keypair_constant_is_pinned — retained because the same pin landed in test(ecdsa): cover mismatch variant identity and JWKS embed #738 for ECDSA.

The rsa 0.10 RC is already in uselesskey-rsa's dep tree, so the new RsaPublicKey::from_public_key_der import does not introduce a new island.

Test plan

  • cargo test -p uselesskey-rsa --test rsa_extra_coverage --features=jwk --release — all 9 tests pass
  • cargo clippy -p uselesskey-rsa --all-targets --all-features -- -D warnings clean
  • cargo clippy -p uselesskey-rsa --all-targets -- -D warnings clean (no jwk)
  • cargo fmt -p uselesskey-rsa clean
  • CI green on PR

Generated by Claude Code

`uselesskey-rsa` had a `tests/mutant_killers.rs` pinning the `rs256()`
case of `stable_bytes()` but not the bit-size axis itself, and the cache
domain `DOMAIN_RSA_KEYPAIR` was not pinned anywhere. Both feed into
deterministic cache identity, so a silent change would invalidate every
cached and deterministic RSA fixture downstream without warning.

Adds `tests/rsa_extra_coverage.rs` (tests-only) matching the existing
pattern in `uselesskey-hmac`, `uselesskey-ed25519`, `uselesskey-entropy`,
and `uselesskey-jwk`:

- `domain_constant_is_stable` — pins `DOMAIN_RSA_KEYPAIR` value.
- `stable_bytes_encodes_each_bit_size_as_be_u32` — pins the
  big-endian-u32 encoding across 2048/3072/4096.
- `stable_bytes_clamps_oversized_bit_count_to_u32_max` — pins the
  `u32::try_from(...).unwrap_or(u32::MAX)` clamp behaviour.
- `new_preserves_supplied_bits_without_clamping_in_struct` — pins that
  the clamp lives at encoding time, not at construction time.
- `rs256_and_new_2048_agree_on_stable_bytes` /
  `rs256_and_new_2048_compare_equal` — pins the rs256/new(2048)
  equivalence.

Adds `uselesskey-test-support` as a dev-dep so the file can use
`TestResult`/`ensure_eq!` and route loop assertions through panic-free
helpers.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 16, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 31 minutes and 48 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1e3a1094-5327-4281-83dd-3b15e832978c

📥 Commits

Reviewing files that changed from the base of the PR and between ac9aba2 and db813f6.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • crates/uselesskey-rsa/Cargo.toml
  • crates/uselesskey-rsa/tests/rsa_extra_coverage.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/coverage-rsa-extra-coverage-E47b2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Replaces the derive/shape pins flagged in #735 with behavioural tests
focused on fixture invariants, mirroring the structure that landed in
#738 for ECDSA:

- Mismatched public key is deterministic across separate factories
  (not just stable within one factory's cache).
- Repeated mismatch calls return identical bytes — pins that the
  `"mismatch"` variant is cached, not regenerated per call.
- Distinct labels produce distinct mismatched keys — variant entropy
  flows through `label`, the variant string itself is shared.
- Mismatched key differs from the keypair's own public key.
- Mismatched SPKI parses as an RSA public key — kills a hypothetical
  "swap key type" mutant on the variant load path.
- JWK `n`/`e`/`d` are emitted with base64url no-padding.
- JWKS-embedded `kid` matches the standalone `kid()` accessor.
- JWKS public entry preserves `kty`/`use`/`alg` and omits `d`.
- `DOMAIN_RSA_KEYPAIR` pin is retained (also pinned in #738) since
  changing it silently re-keys every cached and deterministic RSA
  fixture downstream.

`rsa` 0.10 RC is already in the dep tree via the existing
`uselesskey-rsa` crate, so the new `RsaPublicKey::from_public_key_der`
import does not add any island.
@EffortlessSteven EffortlessSteven changed the title test(rsa): pin DOMAIN constant and stable_bytes bit-size axis test(rsa): cover mismatch variant identity and JWKS embed May 16, 2026
@EffortlessSteven EffortlessSteven marked this pull request as ready for review May 16, 2026 09:41
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@EffortlessSteven EffortlessSteven merged commit 3af7f0e into main May 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants