test(integration): add coverage of error types for cert related failures#5755
Open
test(integration): add coverage of error types for cert related failures#5755
Conversation
maddeleine
reviewed
Feb 24, 2026
| { | ||
| let mut pair = TestPair::from_configs(&client, &server); | ||
| let err = pair.handshake().unwrap_err(); | ||
| // Error { |
Contributor
There was a problem hiding this comment.
What is this comment for?
| } | ||
| } | ||
|
|
||
| /// When a client cert chain is signed with signatures that aren't allowed by the |
Contributor
There was a problem hiding this comment.
Is there a reason why these are all client auth tests?
| let server_cert = CertMaterials::from_permutation("rsae_pkcs_3072_sha384"); | ||
| // The client cert has a valid key (RSA3072) but an invalid signature | ||
| // (SHA256 digest) | ||
| let client_cert = CertMaterials::from_permutation("rsae_pkcs_3072_sha256"); |
Contributor
There was a problem hiding this comment.
Consider adding a success case using rsae_pkcs_3072_sha384 before the failure case of rsae_pkcs_3072_sha256(same with the curves test) to codify that the failure is due to the digest and not some other reason. Otherwise I don't really know how much assurance these tests are giving us, besides failing with the correct error. But like you've mentioned, we throw that error a lot.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Add integration test coverage of cert related failures
Why
I'm going to be adding some more distinct error types for host name and security policy related failures. But I needed to confirm our current behavior.
So I figured I'd just add these tests as a separate PR because it will make my error change easier to review.
How
Just using our integration test harness to look at the returned error types.
Testing
I did print out the s2n-tls error message and check that I was hitting the expected line numbers for the failures, and not one of the ~14 other places that we return
CERT_UNTRUSTED.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.