Add new test case to integration tests #324
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #324 +/- ##
==========================================
+ Coverage 97.46% 97.53% +0.06%
==========================================
Files 20 20
Lines 4343 4343
==========================================
+ Hits 4233 4236 +3
+ Misses 110 107 -3 ☔ View full report in Codecov by Sentry. |
|
Why? |
dwhjames
force-pushed
the
amazon-test
branch
from
16f8528 to
70147e6
Compare
@djc, I initially did this privately as I was testing a use case that involves AWS and revocation checking. But I thought the extra test coverage may be of use to the project, so I’ve tidied it up to offer it back. Due to dependency tree restrictions, I originally had to work against v0.101.7. And at that version it seemed the integration test examples for CRLs were limited in number as well as simple (single CRL); moreover, the types were more ‘awkward’. It seems like I’m not offended if this is overkill for the amount of test coverage that this might gain relative to amount of new test code: just trying to offer what might be of use (more coverage / more complex integration example) rather than keep it private. |
Test the Amazon certificate authorities https://www.amazontrust.com/repository/ with and without CRLs.
dwhjames
force-pushed
the
amazon-test
branch
from
70147e6 to
cf8333b
Compare
|
How much code would you have to duplicate to put these tests in a separate file? Would be interesting to look at where the extra coverage is coming from. I think it might be interesting to do this, but it also feels like overkill a bit. How much runtime does it add in practice? Probably not a lot? |
|
Thanks for sharing some tests 👍
From codecov's perspective it doesn't seem like this branch added coverage outside of a 0.07% indirect coverage improvement in src/time.rs. I buy that there could be interesting properties that differ between this test corpus and the existing coverage that are meaningful outside of naive coverage metrics, but I'd like to see those specific differences highlighted. I think it would be a stronger contribution if the new tests were minimized to focus on what's new vs existing. |
tests/integration.rs
Outdated
| let path = cert | ||
| .verify_for_usage( | ||
| webpki::ALL_VERIFICATION_ALGS, | ||
| &all_anchors, | ||
| &intermediates_legacy, | ||
| time, | ||
| KeyUsage::server_auth(), | ||
| crls.map(|l| revocation_options_for_test(l)), | ||
| None, | ||
| ) | ||
| .unwrap(); | ||
|
|
||
| // verify should find shortest path | ||
| assert!(anchors.contains(path.anchor())); |
There was a problem hiding this comment.
@cpu @djc
I’ve scanned the codebase and this is the only test usage of verify_for_usage where the computed path is checked, and specifically this check establishes that the shortest path is found. With the trust anchors and intermediates given here, there are two valid paths for every leaf cert tested.
There was a problem hiding this comment.
specifically this check establishes that the shortest path is found. With the trust anchors and intermediates given here, there are two valid paths for every leaf cert tested.
I believe the better TLS test coverage in tests/better_tls.rs has a variety of test cases that exercise path building like this. Did you take a peek at those?
There was a problem hiding this comment.
I didn’t, but now I’m looking
I’m actually not seeing a test case that matches what is seen in figures 1 & 2 in
of course, there are a lot of complex/pathological cases in that bettertls suite.
Note the integration of this crate with better_tls also has no revocation checking.
Lines 79 to 86 in 84b1463
There was a problem hiding this comment.
Note the integration of this crate with better_tls also has no revocation checking.
Fair point 👍
tests/integration.rs
Outdated
| for &crls in &[&intermediates_crls, &all_crls] { | ||
| assert!( | ||
| cert.verify_for_usage( | ||
| webpki::ALL_VERIFICATION_ALGS, | ||
| &anchors, | ||
| &intermediates, | ||
| time, | ||
| KeyUsage::server_auth(), | ||
| Some(revocation_options_for_test(crls)), | ||
| None, | ||
| ) | ||
| .is_err_and(|e| matches!(e, webpki::Error::CertRevoked)) |
There was a problem hiding this comment.
@cpu @djc to the best of my ability, I couldn’t see any other test cases where revocation checking occurs,
- with real-world CRLs (as opposed to those constructed by generate.py), i.e. production data and not trivially small data (hypothesis being that real data can be weird and thus useful for finding edge cases and regressions)
- where the collection of CRLs are from multiple authorities
There was a problem hiding this comment.
The assertion immediately above this one is complementary (shows the revoked certificates will verify if the crls from the intermediate CAs are not given).
tests/integration.rs
Outdated
| assert!( | ||
| cert.verify_for_usage( | ||
| webpki::ALL_VERIFICATION_ALGS, | ||
| &anchors, | ||
| &intermediates, | ||
| time, | ||
| KeyUsage::server_auth(), | ||
| None, | ||
| None, | ||
| ) | ||
| .is_err_and(|e| matches!(e, webpki::Error::CertExpired { .. })) | ||
| ); |
There was a problem hiding this comment.
@cpu @djc if you’re looking for code to trim, this is likely lower value; I included this for completeness (test everything that https://www.amazontrust.com/repository/ has to offer) but there are already tests for expiry.
@djc, sub 1 second on my machine (2.3 GHz Intel Core i9) |
|
Some additional coverage to note: these certificates cover RSA (2048, 4096) and EC (P-256, P-384) along with SHA-256 and SHA-384. I sampled around and saw some but not all of these (no RSA-4096 or EC P-384 from my admittedly incomplete sampling). |
@djc, almost nothing, I think. |
dwhjames
force-pushed
the
amazon-test
branch
from
da11edf to
01633d5
Compare
|
@cpu is there something broken with the CI configuration? All the integration tests appears to be filtered out, rather than running. and that seems to be the case on at least the previous PR |
Test the Amazon certificate authorities
https://www.amazontrust.com/repository/
with and without CRLs.