test(ecdsa): cover mismatch variant identity and JWKS embed#738
Conversation
Adds 10 tests in `crates/uselesskey-ecdsa/tests/mismatch_and_jwks_identity.rs` that close coverage gaps left by the existing test files: - `mismatched_public_key_spki_der()` is deterministic across separate factories for *both* P-256 and P-384 (only P-256 had this check). - Repeated mismatch calls on the same fixture return identical bytes, pinning that the `"mismatch"` variant is cached, not regenerated per call. - Distinct labels produce distinct mismatched keys, confirming that label entropy reaches the variant load path. - The mismatched key is on the *same* curve as the original (P-256 stays P-256, P-384 stays P-384) by parsing the SPKI with the curve-specific type — kills a hypothetical "swap curve" mutant on the variant branch. - JWK x/y/d use base64url with no padding (`=`). - The JWKS-embedded `kid` matches the standalone `kid()` for both curves (the existing mutation-hardening only checked the public_jwk `kid`). - The JWKS public entry preserves `use=sig`, `alg=ES384`, `crv=P-384` and omits `d` (only the public_jwk-level fields were previously verified for P-384 in JWKS form). - `DOMAIN_ECDSA_KEYPAIR` constant is pinned to `"uselesskey:ecdsa:keypair"` so a rename trips CI rather than silently drifting downstream fixtures. No production code changes. Tests use `Factory::deterministic_from_str` and avoid `.unwrap()`/`.expect()`/`panic!()` so no new no-panic-family debt. https://claude.ai/code/session_0116SGvHnLaoXXd6wz2U9SvM
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Replaces the derive/shape pins flagged in #735 with behavioural tests focused on fixture invariants, mirroring the structure that landed in #738 for ECDSA: - Mismatched public key is deterministic across separate factories (not just stable within one factory's cache). - Repeated mismatch calls return identical bytes — pins that the `"mismatch"` variant is cached, not regenerated per call. - Distinct labels produce distinct mismatched keys — variant entropy flows through `label`, the variant string itself is shared. - Mismatched key differs from the keypair's own public key. - Mismatched SPKI parses as an RSA public key — kills a hypothetical "swap key type" mutant on the variant load path. - JWK `n`/`e`/`d` are emitted with base64url no-padding. - JWKS-embedded `kid` matches the standalone `kid()` accessor. - JWKS public entry preserves `kty`/`use`/`alg` and omits `d`. - `DOMAIN_RSA_KEYPAIR` pin is retained (also pinned in #738) since changing it silently re-keys every cached and deterministic RSA fixture downstream. `rsa` 0.10 RC is already in the dep tree via the existing `uselesskey-rsa` crate, so the new `RsaPublicKey::from_public_key_der` import does not add any island.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Summary
Adds 10 tests in
crates/uselesskey-ecdsa/tests/mismatch_and_jwks_identity.rsthat close coverage gaps left by the existing test files. No production code changes.Gaps closed
mismatched_public_key_spki_der()is deterministic across separate factories for both P-256 and P-384 (only P-256 had this check viamismatch_key_is_deterministic_es256innegative_validation.rs)."mismatch"variant is cached, not regenerated per call."mismatch"is shared).x/y/duse base64url with no padding (=), for both curves and both public/private JWK forms.kidmatches the standalonekid()for both curves (mutation_hardening.rsonly checked thepublic_jwk()kid, not the kid wrapped insidepublic_jwks()).use=sig,alg=ES384,crv=P-384and omitsd(only thepublic_jwk()-level fields were previously verified for P-384 in JWKS form).DOMAIN_ECDSA_KEYPAIRis pinned to"uselesskey:ecdsa:keypair"so a rename trips CI rather than silently drifting downstream deterministic fixtures.Compliance
Factory::deterministic_from_strand avoid.unwrap()/.expect()/panic!()so no new no-panic-family debt.cargo test -p uselesskey-ecdsa --all-featurespasses locally (10/10 new + all pre-existing).cargo clippy -p uselesskey-ecdsa --all-targets --all-features -- -D warningsis clean.cargo fmtclean.cargo xtask check-no-panic-familyreports zero new debt attributable to this PR (3 pre-existing new-debt sites incrates/uselesskey-x509/src/cert*.rsalready present onorigin/mainfrom the505d10cx509 SRP split are unrelated).Test plan
cargo test -p uselesskey-ecdsa --test mismatch_and_jwks_identity --all-featurescargo test -p uselesskey-ecdsa --all-features(full suite still green)cargo clippy -p uselesskey-ecdsa --all-targets --all-features -- -D warningscargo fmt -- --checkcargo xtask check-no-panic-family(new file produces no findings)https://claude.ai/code/session_0116SGvHnLaoXXd6wz2U9SvM
Generated by Claude Code