Skip to content

test(ecdsa): cover mismatch variant identity and JWKS embed#738

Merged
EffortlessSteven merged 1 commit into
mainfrom
claude/cover-ecdsa-mismatch-and-jwks
May 16, 2026
Merged

test(ecdsa): cover mismatch variant identity and JWKS embed#738
EffortlessSteven merged 1 commit into
mainfrom
claude/cover-ecdsa-mismatch-and-jwks

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Adds 10 tests in crates/uselesskey-ecdsa/tests/mismatch_and_jwks_identity.rs that close coverage gaps left by the existing test files. No production code changes.

Gaps closed

  • mismatched_public_key_spki_der() is deterministic across separate factories for both P-256 and P-384 (only P-256 had this check via mismatch_key_is_deterministic_es256 in negative_validation.rs).
  • Repeated mismatch calls on the same fixture return identical bytes, pinning that the "mismatch" variant is cached, not regenerated per call.
  • Distinct labels produce distinct mismatched keys, confirming that label entropy reaches the variant load path (the variant string "mismatch" is shared).
  • The mismatched key is on the same curve as the original (P-256 stays P-256, P-384 stays P-384) by parsing the SPKI with the curve-specific type — kills a hypothetical "swap curve" mutant on the variant branch.
  • JWK x/y/d use base64url with no padding (=), for both curves and both public/private JWK forms.
  • The JWKS-embedded kid matches the standalone kid() for both curves (mutation_hardening.rs only checked the public_jwk() kid, not the kid wrapped inside public_jwks()).
  • The JWKS public entry for P-384 preserves use=sig, alg=ES384, crv=P-384 and omits d (only the public_jwk()-level fields were previously verified for P-384 in JWKS form).
  • DOMAIN_ECDSA_KEYPAIR is pinned to "uselesskey:ecdsa:keypair" so a rename trips CI rather than silently drifting downstream deterministic fixtures.

Compliance

  • Tests use Factory::deterministic_from_str and avoid .unwrap() / .expect() / panic!() so no new no-panic-family debt.
  • cargo test -p uselesskey-ecdsa --all-features passes locally (10/10 new + all pre-existing).
  • cargo clippy -p uselesskey-ecdsa --all-targets --all-features -- -D warnings is clean.
  • cargo fmt clean.
  • cargo xtask check-no-panic-family reports zero new debt attributable to this PR (3 pre-existing new-debt sites in crates/uselesskey-x509/src/cert*.rs already present on origin/main from the 505d10c x509 SRP split are unrelated).

Test plan

  • cargo test -p uselesskey-ecdsa --test mismatch_and_jwks_identity --all-features
  • cargo test -p uselesskey-ecdsa --all-features (full suite still green)
  • cargo clippy -p uselesskey-ecdsa --all-targets --all-features -- -D warnings
  • cargo fmt -- --check
  • cargo xtask check-no-panic-family (new file produces no findings)

https://claude.ai/code/session_0116SGvHnLaoXXd6wz2U9SvM


Generated by Claude Code

Adds 10 tests in `crates/uselesskey-ecdsa/tests/mismatch_and_jwks_identity.rs`
that close coverage gaps left by the existing test files:

- `mismatched_public_key_spki_der()` is deterministic across separate
  factories for *both* P-256 and P-384 (only P-256 had this check).
- Repeated mismatch calls on the same fixture return identical bytes,
  pinning that the `"mismatch"` variant is cached, not regenerated per call.
- Distinct labels produce distinct mismatched keys, confirming that label
  entropy reaches the variant load path.
- The mismatched key is on the *same* curve as the original (P-256 stays
  P-256, P-384 stays P-384) by parsing the SPKI with the curve-specific
  type — kills a hypothetical "swap curve" mutant on the variant branch.
- JWK x/y/d use base64url with no padding (`=`).
- The JWKS-embedded `kid` matches the standalone `kid()` for both curves
  (the existing mutation-hardening only checked the public_jwk `kid`).
- The JWKS public entry preserves `use=sig`, `alg=ES384`, `crv=P-384` and
  omits `d` (only the public_jwk-level fields were previously verified for
  P-384 in JWKS form).
- `DOMAIN_ECDSA_KEYPAIR` constant is pinned to `"uselesskey:ecdsa:keypair"`
  so a rename trips CI rather than silently drifting downstream fixtures.

No production code changes. Tests use `Factory::deterministic_from_str`
and avoid `.unwrap()`/`.expect()`/`panic!()` so no new no-panic-family debt.

https://claude.ai/code/session_0116SGvHnLaoXXd6wz2U9SvM
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 16, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 46 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fa4d93c6-914d-4545-8950-089af3b084f1

📥 Commits

Reviewing files that changed from the base of the PR and between ac9aba2 and 3e227c0.

📒 Files selected for processing (1)
  • crates/uselesskey-ecdsa/tests/mismatch_and_jwks_identity.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/cover-ecdsa-mismatch-and-jwks

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

EffortlessSteven pushed a commit that referenced this pull request May 16, 2026
Replaces the derive/shape pins flagged in #735 with behavioural tests
focused on fixture invariants, mirroring the structure that landed in
#738 for ECDSA:

- Mismatched public key is deterministic across separate factories
  (not just stable within one factory's cache).
- Repeated mismatch calls return identical bytes — pins that the
  `"mismatch"` variant is cached, not regenerated per call.
- Distinct labels produce distinct mismatched keys — variant entropy
  flows through `label`, the variant string itself is shared.
- Mismatched key differs from the keypair's own public key.
- Mismatched SPKI parses as an RSA public key — kills a hypothetical
  "swap key type" mutant on the variant load path.
- JWK `n`/`e`/`d` are emitted with base64url no-padding.
- JWKS-embedded `kid` matches the standalone `kid()` accessor.
- JWKS public entry preserves `kty`/`use`/`alg` and omits `d`.
- `DOMAIN_RSA_KEYPAIR` pin is retained (also pinned in #738) since
  changing it silently re-keys every cached and deterministic RSA
  fixture downstream.

`rsa` 0.10 RC is already in the dep tree via the existing
`uselesskey-rsa` crate, so the new `RsaPublicKey::from_public_key_der`
import does not add any island.
@EffortlessSteven EffortlessSteven marked this pull request as ready for review May 16, 2026 09:43
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@EffortlessSteven EffortlessSteven merged commit d292f83 into main May 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants