feat(xtest): add X-Wing hybrid PQ/T KEM (ML-KEM-768 + X25519) test support#427
feat(xtest): add X-Wing hybrid PQ/T KEM (ML-KEM-768 + X25519) test support#427dmihalcik-virtru wants to merge 7 commits intomainfrom
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for X-Wing hybrid post-quantum/traditional KEM (Key Encapsulation Mechanism). This includes updating ABAC definitions for X-Wing, adding new key management fixtures for X-Wing keys and attributes, and extending SDK CLI support checks to include the mechanism-xwing feature. A new test file test_pqc_xwing.py has been added to verify X-Wing encryption and decryption, including hybrid scenarios with EC keys. The review comments highlight a problematic global caching mechanism in the new X-Wing tests that could lead to test isolation issues and a PEP 8 violation. Additionally, there is a duplicate code block for platform feature caching and a redundant require method in tdfs.py that should be addressed for code cleanliness and API consistency.
| from abac import Attribute, KasKey | ||
| from tdfs import KeyAccessObject | ||
|
|
||
| cipherTexts: dict[str, Path] = {} |
There was a problem hiding this comment.
The global cipherTexts dictionary used for caching encrypted TDF files is problematic. Since tmp_dir is typically a function-scoped fixture (like the standard tmp_path), the directory and its contents are deleted or rotated after each test iteration. Subsequent tests (e.g., when parametrized across different SDKs) will attempt to use a path from a previous test's tmp_dir that may no longer exist or is not associated with the current test execution.
Additionally, the variable name cipherTexts violates PEP 8 naming conventions (should be cipher_texts).
It is recommended to remove this caching logic and re-encrypt for each test case to ensure test isolation and reliability, or use a session-scoped fixture if caching is strictly necessary for performance.
| _cached_pfs: PlatformFeatureSet | None = None | ||
|
|
||
|
|
||
| def get_platform_features() -> PlatformFeatureSet: | ||
| """Return a cached PlatformFeatureSet singleton.""" | ||
| global _cached_pfs | ||
| if _cached_pfs is None: | ||
| _cached_pfs = PlatformFeatureSet() | ||
| return _cached_pfs | ||
|
|
||
|
|
||
| _cached_pfs: PlatformFeatureSet | None = None | ||
|
|
||
|
|
There was a problem hiding this comment.
This entire block (lines 155-168) is a duplicate of the implementation provided immediately below (lines 169-174). It appears that _cached_pfs and get_platform_features were added twice in this file, likely due to a merge or copy-paste error. Please remove the redundant first definition.
| def require(self, *features: feature_type): | ||
| """Skip the current test if any of the given features are unsupported.""" | ||
| for feature in features: | ||
| if feature not in self.features: | ||
| pytest.skip( | ||
| f"platform service {self.version} doesn't yet support [{feature}]" | ||
| ) |
There was a problem hiding this comment.
The require method is redundant as it provides nearly identical functionality to the existing skip_if_unsupported method (lines 146-152). To maintain a clean and consistent API, consider removing require and using skip_if_unsupported instead. skip_if_unsupported is slightly more informative as it identifies all missing features in a single skip message rather than stopping at the first one.
X-Test Results✅ java-v0.13.0 |
…pport Add integration test infrastructure for the X-Wing post-quantum/traditional hybrid KEM algorithm (draft-connolly-cfrg-xwing-kem-10) to prepare for Q-Day readiness testing. - Register hpqt:xwing algorithm (enum 30) in abac.py - Add "mechanism-xwing" feature type with platform version gating (>= 0.14.0) - Add SDK feature detection in go/java/js cli.sh via encrypt help grep - Create fixtures/pqc.py with key_xwing, attribute_with_xwing_key, and attribute_with_xwing_and_ec_keys fixtures - Create test_pqc_xwing.py with roundtrip tests for X-Wing-only and mixed X-Wing + EC multi-mechanism encryption - Assert X-Wing KEM-specific sizes (1216-byte encapsulation key, 1120-byte ciphertext) on KAO and registered public key Tests will gracefully skip until platform and SDKs ship X-Wing support. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Support building and testing multiple post-quantum platform variants side by side. This enables comparing different X-Wing implementations (e.g., from separate branches) by building variant-specific otdfctl binaries and switching the platform backend at runtime. - otdf-sdk-mgr: add `install variant` command that generates per-variant go.work files and builds otdfctl against a platform variant's modules - otdf-local: enable OTDF_LOCAL_PLATFORM_DIR env var to override the auto-discovered platform directory - Go SDK Makefile: add `build-variant` target using GOWORK env var - xtest: extend --sdks to accept sdk:version qualifiers (e.g., go:gemini) for filtering specific SDK versions during test runs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When using OTDF_LOCAL_PLATFORM_DIR to point at a fresh platform checkout (e.g. PQC variant branches), the required KAS and Keycloak TLS keys may not exist yet. This adds automatic key generation during `otdf-local up` so variant backends work out of the box. KAS keys are per-variant (in platform_dir), while Keycloak CA/TLS keys are shared in xtest/tmp/keys/ and passed via KEYS_DIR env var to docker compose. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…nv) works cleanly All diagnostic/status console output now goes to stderr. Machine-readable data (JSON output, shell export lines) goes to stdout. Adds print_json() helper using a stdout Console for use in env and ls --json commands. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dmihalcik-virtru
force-pushed
the
DSPX-2791-xwing
branch
from
8b4fcc1 to
64c22c4
Compare
X-Test Results✅ java-main |
|
X-Test Results✅ java-main |
1 participant
Add integration test infrastructure for the X-Wing post-quantum/traditional
hybrid KEM algorithm (draft-connolly-cfrg-xwing-kem-10) to prepare for Q-Day
readiness testing.
attribute_with_xwing_and_ec_keys fixtures
mixed X-Wing + EC multi-mechanism encryption
1120-byte ciphertext) on KAO and registered public key
Tests will gracefully skip until platform and SDKs ship X-Wing support.
Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com