test(cms): boundary tests for DER length-encoding helpers#15
Merged
Conversation
Round 3 of the audit-equivalent hardening: kills the cluster of
length-encoding boundary mutants in the DER header helpers that
survived previous rounds.
Why these survived before:
Integration tests sign data of one shape and observe one length, so
every CONDITIONALS_BOUNDARY mutant (e.g. `if length < 128` ↔
`if length <= 128`) flips behaviour only at the exact boundary
values — values no production-API test ever happens to hit. Mutation
testing therefore reported them as LIVED even though the helpers
are exercised on every sign call.
What's added (pkg/cms/length_boundary_test.go):
- lengthEncodingCases: a table of 14 lengths probing both sides of
every DER length-form boundary (0/1, 126/127/128/129, 254/255/
256/257, 65534/65535/65536/65537), with byte-exact expected
length-encoding bytes per X.690 §8.1.3.4.
- TestMakeSequenceHeaderBoundaries: asserts makeSequenceHeader
produces the expected `0x30 <len-bytes>` for every case. Kills
the boundary mutants at signer.go:879/881/883.
- TestMakeSetHeaderBoundaries: same shape for makeSetHeader. Kills
the mutants at signer.go:895/897/899.
- TestMakeHeader_Roundtrip: cross-checks producer/consumer
consistency — every header makeSequenceHeader emits must parse
cleanly via parseASN1Length and recover the original length. Locks
in the invariant against future drift between the strict DER
enforcer (verifier) and the length-form selector (signer).
Mutation testing impact:
- Killed: 197 → 203 (+6)
- Lived: 50 → 44 (-6)
- Efficacy: 79.76% → 82.19% (+2.4 points; crossed 80%)
- Mutator coverage: 85.76% (unchanged)
Statement coverage: 78.9% → 79.2% (+0.3).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds focused boundary-condition unit tests for CMS DER length-encoding helpers to eliminate mutation-testing survivors at exact </<= thresholds and to lock producer/consumer consistency between signer header emission and verifier DER length parsing.
Changes:
- Introduces a shared table of DER length boundary cases (short form and long-form 1/2/3-octet transitions).
- Adds byte-exact table-driven tests for
makeSequenceHeaderandmakeSetHeader. - Adds a roundtrip invariant test ensuring
makeSequenceHeaderoutput is accepted byparseASN1Lengthand yields the original length.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Round 3 of the audit-equivalent hardening — kills the cluster of length-encoding boundary mutants that survived rounds 1 and 2.
Why these survived previous rounds
Integration and roundtrip tests sign data of one specific shape and observe one specific length. Mutation testing's CONDITIONALS_BOUNDARY mutants (`if length < 128` ↔ `if length <= 128`) only differ in behavior at the exact boundary values — values no production-API test happens to hit. They report as LIVED even though the helpers run on every sign call.
The fix is direct table tests on the helpers with byte-exact expected output at both sides of every DER length-form boundary.
What's added
`pkg/cms/length_boundary_test.go` — three table-driven tests sharing the same case table:
Mutation testing impact
All 6 boundary mutants in `signer.go:879/881/883/895/897/899` (and their `CONDITIONALS_NEGATION` siblings) are now killed.
Test plan
🤖 Generated with Claude Code