Merged
Conversation
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Signed-off-by: Christian Walter <christian.walter@9elements.com>
walterchris
force-pushed
the
feat/addAPIIntegrationTests
branch
from
d4e5088 to
a1b095a
Compare
walterchris
force-pushed
the
feat/addAPIIntegrationTests
branch
from
aca16ab to
a1b095a
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR replaces the previous integration-tests crate with two provider-focused integration test crates (OpenSSL CLI + OpenSSL C API via gtest), wires them into xtask and CI, and updates the OpenSSL provider to keep the default provider loaded to avoid internal EVP recursion.
Changes:
- Split provider integration testing into
provider-integration-tests-cli(lit + shell scripts) andprovider-integration-tests-capi(Rust harness running a C++ gtest binary). - Update
xtaskand CI workflow to run both integration suites and isolate/clean generated key material undertarget/test-keymat/. - Update provider init/teardown to retain and release a reference to the OpenSSL “default” provider in the NULL library context.
Reviewed changes
Copilot reviewed 68 out of 69 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| xtask/src/integration_tests.rs | Clean target/test-keymat and run CLI + C API integration test packages. |
| xtask/src/coverage.rs | Exclude the two provider integration test crates from coverage runs. |
| plugins/ossl_prov/src/azihsm_ossl_base.c | Keep NULL-context default provider loaded (store ref; unload on teardown/failures). |
| plugins/ossl_prov/inc/azihsm_ossl_base.h.in | Add default_provider field to provider context struct. |
| plugins/ossl_prov/inc/azihsm_ossl_base.h | Add default_provider field to provider context struct. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/env.sh | Generate per-run openssl.cnf in target/test-keymat/cli and set OPENSSL_CONF. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/digest/digest.sh | Rely on OPENSSL_CONF for provider loading (remove explicit provider flags). |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/certificate/certificate.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/create_key/create_key.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/create_key/create_key_negative.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/ecdh_hkdf_hmac_roundtrip/ecdh_hkdf_hmac_roundtrip.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/ecdh_key_exchange/ecdh_key_exchange.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/hkdf_key_derivation/hkdf_key_derivation.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/hkdf_key_derivation/hmac_key_derivation.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/hmac/hmac.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/import_key/import_key.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/import_key/import_key_negative_invalid_path.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/import_key_sec1/import_key_sec1.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/import_wrapped_key/import_wrapped_key.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/round_trip/round_trip.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/round_trip/round_trip_import.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/sign/oneshot_sign.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/sign/sign.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/verify/oneshot_verify.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/verify/verify.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/verify/verify_negative_tampered_data.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/ec/verify/verify_negative_wrong_key.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/certificate/certificate.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/default_padding/round_trip.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/import_key/import_key.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/import_key/import_key_negative_invalid_path.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/import_wrapped_key/import_wrapped_key.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/oaep_encryption/oaep_encryption.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/oneshot_round_trip/oneshot_round_trip.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/oneshot_sign/oneshot_sign.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/oneshot_verify/oneshot_verify.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/pkcs1_encryption/pkcs1_encryption.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/round_trip/round_trip.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/rsa-pss-specific/sign.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/rsa-pss-specific/verify.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/rsa_pss_default_padding/round_trip.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/sign/sign.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/verify/verify.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/verify/verify_negative_tampered_data.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/testfiles/rsa/verify/verify_wrong_key.sh | Remove explicit provider flags; rely on config auto-loading. |
| plugins/ossl_prov/integration-tests/openssl-cli/src/openssl_cli_tests.rs | New Rust test runner invoking lit-based shell tests across parameter sets. |
| plugins/ossl_prov/integration-tests/openssl-cli/Cargo.toml | Rename crate to provider-integration-tests-cli and register the test target. |
| plugins/ossl_prov/integration-tests/openssl-cli/.gitignore | Ignore CLI test artifacts produced by scripts. |
| plugins/ossl_prov/integration-tests/openssl-capi/Cargo.toml | Add provider-integration-tests-capi crate with a custom (non-harness) test runner. |
| plugins/ossl_prov/integration-tests/openssl-capi/build.rs | Build the C++ gtest binary via CMake only when integration feature is enabled. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/CMakeLists.txt | Define gtest-based C++ test build and enforce OPENSSL_ROOT_DIR. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/main.cpp | Disable default-context config autoload and run gtest. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/openssl_capi_integration_tests.rs | Rust harness that discovers gtests and runs each test case as a subprocess. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/smoke_tests.cpp | Provider load/name smoke tests using a dedicated OpenSSL library context. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/utils/provider_ctx.hpp | RAII OpenSSL context + config loader for C++ tests. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/utils/ossl_helpers.hpp | Unique_ptr deleters for OpenSSL EVP/KDF/MAC types. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/utils/keygen_helpers.hpp | Test helpers for session EC keys, imported RSA session keys, and masked key derivation. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/digest/digest_tests.cpp | Streaming digest tests via EVP API. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/ec/sign_verify_tests.cpp | EC session key sign/verify + negative tests via EVP. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/ec/keyexch_tests.cpp | ECDH session key derivation tests (buffer + file) and mismatched-curve negative test. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/ec/ecdh_hkdf_hmac_tests.cpp | End-to-end ECDH → HKDF → HMAC round-trip via EVP APIs. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/kdf/hkdf_tests.cpp | HKDF derive tests (with/without salt/info, differing salt output). |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/mac/hmac_tests.cpp | HMAC tests using HKDF-derived masked keys. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/rsa/sign_verify_tests.cpp | RSA session key sign/verify tests (PKCS#1 v1.5 + PSS) and negative cases. |
| plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/rsa/enc_dec_tests.cpp | RSA-OAEP encrypt/decrypt tests + wrong-key negative case. |
| integration-tests/src/lib.rs | Remove the old monolithic integration-tests crate test suite. |
| Cargo.toml | Update workspace members to include the two new provider integration test crates. |
| .github/workflows/rust.yml | Run CLI and C API integration tests as separate CI steps/packages. |
| .cargo/audit.toml | Update advisory-ignore comment to reflect new test crate name. |
Comments suppressed due to low confidence (1)
plugins/ossl_prov/integration-tests/openssl-cli/testfiles/env.sh:94
- Because this script now relies on an absolute
module = $PROVIDER_SOin the generatedopenssl.cnf, it becomes more important that the dynamic linker can also resolvelibazihsm_api_native.so(often located alongsideazihsm_provider.soinPROVIDER_PATH). CurrentlyLD_LIBRARY_PATHis set only fromOPENSSL_LIBand overwrites any existing value, which can make provider loading fail in local dev runs unless the native library is installed system-wide. Consider prependingPROVIDER_PATHand preserving the existingLD_LIBRARY_PATH(as documented inplugins/ossl_prov/README.md).
plugins/ossl_prov/integration-tests/openssl-capi/cpp/utils/keygen_helpers.hpp
Show resolved
Hide resolved
rajesh-gali
approved these changes
Mar 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR should replace #232.