Skip to content

test(integration): refactor PQ tests to utilize in-memory harness#5667

Merged
kaukabrizvi merged 9 commits intoaws:mainfrom
kaukabrizvi:ML_DSA_integ
Dec 18, 2025
Merged

test(integration): refactor PQ tests to utilize in-memory harness#5667
kaukabrizvi merged 9 commits intoaws:mainfrom
kaukabrizvi:ML_DSA_integ

Conversation

@kaukabrizvi
Copy link
Copy Markdown
Contributor

@kaukabrizvi kaukabrizvi commented Dec 12, 2025
edited
Loading

Goal

Refactor the post-quantum integration tests to use the in-memory TLS harness.

Why

ML-DSA support was made publicly available in s2n-tls (#5257), but the initial integration testing was intentionally temporary and hacky due to tooling and provider limitations. As noted in #5308, we should follow through by implementing standard integration tests using the in-memory test pair, preferably using a non–AWS-LC provider.

There are still blockers to adding ML-DSA coverage to the integrationv2 test matrix:

  • The OQS + OpenSSL 1.1.1 builds in CI predate ML-DSA
  • AWS-LC does not currently support ML-DSA via libssl/bssl
  • OpenSSL 3.5 is the preferred non–AWS-LC provider for PQ testing, but is not yet available in our CodeBuild images or Nix setup (for integV2).

Given these constraints and our effort to move integration tests to Rust, the in-memory integration harness is currently the best way to provide PQ integration test coverage.

How

  • Removed required_capability_async as it is no longer needed, instead the existing synchronous required_capability helper can be used to drive the in-memory test pair.
  • Migrated PQ tests to use the in-memory TlsConnPair harness, avoiding Tokio/OpenSSL socket wiring
  • Modified client/server setup for ML-DSA, ML-KEM, and pure ML-KEM cases while preserving coverage of:
    • client vs server roles
    • hybrid vs pure PQ negotiation
    • negotiated signature algorithms and KEM groups

Callouts

  • The in-memory harness defaults hostname verification to "localhost". The RFC-derived ML-DSA certificate uses "LAMPS WG" as its Common Name, so when the s2n client reaches CN-based hostname validation, "LAMPS WG" is rejected by the default verifier (expecting "localhost"), causing S2N_ERR_CERT_UNTRUSTED. A custom verify-host callback is installed to treat "LAMPS WG" as the expected server name.
  • In the pure MLKEM tests, capability gating differs by role: when s2n acts as a server, it must sign CertificateVerify with the ML-DSA private key, so the test requires MLKEM + MLDSA. When s2n acts as a client, the test focuses on PQ group negotiation, so MLKEM alone is sufficient.

Testing

  • Existing PQ integration tests were updated and continue to pass when the relevant capabilities are supported
  • Tests correctly fail (or are skipped) when required PQ capabilities are unavailable

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Dec 12, 2025
@kaukabrizvi kaukabrizvi marked this pull request as ready for review December 17, 2025 23:17
@kaukabrizvi kaukabrizvi added this pull request to the merge queue Dec 18, 2025
Merged via the queue into aws:main with commit d326af3 Dec 18, 2025
54 checks passed
@kaukabrizvi kaukabrizvi deleted the ML_DSA_integ branch December 18, 2025 21:10
@kaukabrizvi kaukabrizvi mentioned this pull request Dec 18, 2025
Closed
@BrewTestBot BrewTestBot mentioned this pull request Jan 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmayclin jmayclin jmayclin approved these changes

@CarolYeh910 CarolYeh910 CarolYeh910 approved these changes

Assignees

No one assigned

Labels

s2n-core team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kaukabrizvi @jmayclin @CarolYeh910