# Synta Test Suite
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [Test Files](#test-files)
- [Core Functionality Tests](#core-functionality-tests)
- [Encoding/Decoding Tests](#encodingdecoding-tests)
- [Real-World Integration Tests](#real-world-integration-tests)
- [Serde Tests](#serde-tests)
- [Cryptography Vectors Tests](#cryptography-vectors-tests)
- [Test Certificates](#test-certificates)
- [What These Tests Validate](#what-these-tests-validate)
- [Running Tests](#running-tests)
- [Test Vectors](#test-vectors)
- [Test Statistics](#test-statistics)
- [Comparison with Industry Tools](#comparison-with-industry-tools)
- [Adding New Tests](#adding-new-tests)
- [Continuous Integration](#continuous-integration)
- [Extended Certificate Vectors Tests](#extended-certificate-vectors-tests)
- [Test Repositories](#test-repositories)
- [What It Does](#what-it-does)
- [Test Results](#test-results)
- [Supported Cryptographic Algorithms](#supported-cryptographic-algorithms)
- [Expected Failures](#expected-failures)
- [Requirements](#requirements)
- [Post-Quantum Certificate Test Results](#post-quantum-certificate-test-results)
- [Running the Tests](#running-the-tests)
- [See Also](#see-also)
This directory contains comprehensive tests for the Synta ASN.1 library.
## Test Files
### Core Functionality Tests
- **tag_tests.rs** (7 tests) - Tag encoding/decoding for all classes (Universal, Application, Context-specific, Private)
- **length_tests.rs** (7 tests) - Length encoding/decoding (short form, long form, indefinite)
- **primitive_tests.rs** (8 tests) - Primitive types (Boolean, Integer, Null, OctetString, BitString)
- **oid_tests.rs** (7 tests) - Object Identifier encoding/decoding and validation
- **string_tests.rs** (10 tests) - String types (UTF8String, PrintableString, IA5String)
- **time_tests.rs** (9 tests) - Time types (UTCTime, GeneralizedTime)
- **constructed_tests.rs** (13 tests) - Constructed types (Sequence, Set, SequenceOf, SetOf)
- **tagged_tests.rs** (15 tests) - Tagged types (ExplicitTag, ImplicitTag)
### Encoding/Decoding Tests
- **encoder_tests.rs** (5 tests) - Encoder functionality and backpatching
- **der_compliance_tests.rs** (13 tests) - DER strict compliance validation
- **ber_tests.rs** (9 tests) - BER relaxed encoding support
- **roundtrip.rs** (8 tests) - Roundtrip encoding/decoding verification
### Real-World Integration Tests
- **x509_tests.rs** (9 tests) - X.509 certificate structure parsing
- **cryptography_vectors_tests.rs** (6 tests) - Real certificates from OpenSSL, validates against industry-standard test vectors
- **cryptography_vectors_tests_extended.rs** (2 tests, ignored by default) - Comprehensive validation against Python Cryptography project's 200+ test vectors
### Serde Tests
- **serde_tests.rs** (30 tests) - Serialize/Deserialize for all ASN.1 types (requires `serde` feature)
- Round-trip JSON serialization for every primitive and constructed type
- Hex encoding of `OctetString` and `BitString`
- Dotted-decimal encoding of `ObjectIdentifier`
- `Element` tree serialization including tag/length/value fields
## Cryptography Vectors Tests
The `cryptography_vectors_tests.rs` file contains tests using real X.509 certificates generated with OpenSSL, similar to the test vectors used by the Python Cryptography project.
The `cryptography_vectors_tests_extended.rs` file contains comprehensive tests that clone the actual pyca/cryptography repository and validate against all 200+ test certificate files. These tests are ignored by default because they require network access and take several seconds to run.
### Test Certificates
1. **RSA Certificate** - 2048-bit RSA, SHA-256 signature
- Tests RSA algorithm OID parsing
- Validates certificate structure (TBSCertificate, signatureAlgorithm, signatureValue)
- Verifies serial numbers, validity periods, and extensions
2. **ECDSA Certificate** - ECDSA P-256, SHA-256 signature
- Tests ECDSA algorithm OID parsing
- Validates elliptic curve certificate structures
### What These Tests Validate
1. **test_parse_rsa_certificate_from_cryptography_vectors**
- Parses real RSA certificate from PEM format
- Validates 3-element structure (TBSCertificate, signatureAlgorithm, signatureValue)
- Verifies signature algorithm OID (1.2.840.113549.1.1.11 = SHA256WithRSA)
- Checks that signature value is present and non-empty
2. **test_parse_ecdsa_certificate_from_cryptography_vectors**
- Parses real ECDSA certificate from PEM format
- Validates ECDSA signature algorithm OID (1.2.840.10045.4.3.2 = ECDSA with SHA256)
3. **test_roundtrip_cryptography_vectors**
- Decodes certificate, re-encodes it, and verifies identical structure
- Ensures DER encoding is deterministic
4. **test_extract_certificate_fields**
- Extracts specific fields (serial number, OIDs) from certificate
- Validates field positions and types
- Counts OIDs to ensure all algorithm identifiers and attributes are parsed
5. **test_parse_all_universal_tag_types**
- Verifies that various Universal tag types are encountered
- Ensures parser handles INTEGER, BIT STRING, OBJECT IDENTIFIER, SEQUENCE, SET, time types, and strings
6. **test_certificate_structure_depth**
- Validates proper nesting depth (4-10 levels typical for X.509)
- Ensures depth progression is logical
### Running Tests
```bash
# Run all tests
cargo test
# Run only cryptography vectors tests
cargo test --test cryptography_vectors_tests
# Run with output
cargo test --test cryptography_vectors_tests -- --nocapture
# Run specific test
cargo test test_parse_rsa_certificate_from_cryptography_vectors
# Run serde tests (requires serde feature)
cargo test -p synta --features serde --test serde_tests
# Run comprehensive Python Cryptography vectors test (requires network)
cargo test --test cryptography_vectors_tests_extended -- --ignored --nocapture
# Run sample test (first 10 files only)
cargo test --test cryptography_vectors_tests_extended test_cryptography_vectors_sample -- --ignored --nocapture
```
## Test Vectors
Certificate test vectors are stored under `tests/vectors/`:
```
tests/vectors/
├── README.md directory guide
├── fetch.sh script to download external vectors
├── test_certificate.der minimal self-signed cert (DER) ← committed
├── test_certificate.pem minimal self-signed cert (PEM) ← committed
├── cryptography/ pyca/cryptography x509 vectors ← fetched
├── dilithium-certificates/ LAMPS WG ML-DSA example certs ← fetched
└── kyber-certificates/ LAMPS WG ML-KEM example certs ← fetched
```
The committed files (`test_certificate.*`) are generated by:
```bash
cargo run --example generate_test_cert
```
The external directories are populated by:
```bash
bash tests/vectors/fetch.sh
```
`fetch.sh` requires git ≥ 2.25 and network access on first run; subsequent runs are idempotent. The Rust test harness (`tests/test_utils/repo.rs`) also clones the same directories on demand when the extended tests run.
### Test Statistics
- **Total Tests**: 165 tests (135 core + 30 serde)
- **Coverage**: All ASN.1 primitives, constructed types, encoding rules, serde integration
- **Real-World Validation**: X.509 certificates from OpenSSL
- **Status**: All tests passing
### Comparison with Industry Tools
The cryptography vectors tests can be validated against OpenSSL:
```bash
# Generate test certificate
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 \
-subj "/C=US/ST=CA/L=San Francisco/O=Test/CN=test.com"
# Parse with OpenSSL
openssl asn1parse -in cert.pem -inform PEM
# Parse with Synta
cargo run --example asn1parse cert.pem
```
Both tools should produce identical tree structures (offsets, depths, lengths, types).
## Adding New Tests
When adding new tests:
1. Follow existing naming conventions
2. Test both encoding and decoding
3. Include error cases where applicable
4. Add roundtrip tests for complex types
5. Update this README with test descriptions
## Continuous Integration
All tests are run automatically on:
- Every commit
- Pull requests
- Before release
Tests must pass with:
- Zero warnings
- 100% success rate
- Clean release build
## Extended Certificate Vectors Tests
The `cryptography_vectors_tests_extended.rs` file provides comprehensive validation against certificate test vectors from multiple sources:
### Test Repositories
1. **Python Cryptography Project** (`test_all_cryptography_vectors`)
- Repository: https://github.com/pyca/cryptography
- Tests traditional X.509 certificates (RSA, ECDSA, EdDSA, DSA)
- 207+ test vectors covering various edge cases
2. **LAMPS ML-DSA Certificates** (`test_lamps_ml_dsa_certificates`)
- Repository: https://github.com/lamps-wg/dilithium-certificates
- Tests post-quantum ML-DSA (Dilithium) signatures
- Reference implementation from IETF LAMPS working group
3. **LAMPS ML-KEM Certificates** (`test_lamps_ml_kem_certificates`)
- Repository: https://github.com/lamps-wg/kyber-certificates
- Tests post-quantum ML-KEM (Kyber) key encapsulation
- Includes hybrid certificates (ML-DSA signatures + ML-KEM keys)
### What It Does
1. **Clones Repositories**: Performs shallow clones with sparse checkout for efficiency
2. **Finds Test Vectors**: Recursively locates all certificate files (`.pem`, `.der`, `.crt`, `.pub`)
3. **Parses All Files**: Attempts to parse each certificate file
4. **Identifies Algorithms**: Recognizes traditional and post-quantum cryptographic algorithms
5. **Collects Statistics**: Tracks success/failure rates, algorithm types, and ASN.1 node counts
6. **Reports Results**: Provides detailed summary of parsing results
### Test Results
Latest run against pyca/cryptography repository:
```
Total files: 207
PEM files: 153
DER files: 54
Successfully parsed: 169 (81.6%)
Failed: 38 (18.4%)
Signature algorithms:
RSA: 140
ECDSA: 9
EdDSA: 3
DSA: 3
Other: 14
Total ASN.1 nodes: 37,900
Avg nodes/cert: 224.3
```
### Supported Cryptographic Algorithms
The test suite recognizes and classifies the following signature algorithms by their OIDs:
**Traditional Algorithms:**
- **RSA** (1.2.840.113549.1.1.*) - RSA with various hash functions
- **ECDSA** (1.2.840.10045.4.*) - Elliptic Curve Digital Signature Algorithm
- **DSA** (1.2.840.10040.4.*) - Traditional Digital Signature Algorithm
- **EdDSA** - Edwards-curve Digital Signature Algorithm:
- Ed25519 (1.3.101.112) - RFC 8410
- Ed448 (1.3.101.113) - RFC 8410
**Post-Quantum Algorithms (NIST PQC):**
- **ML-DSA** (FIPS 204) - Module-Lattice Digital Signature Algorithm:
- ML-DSA-44 (2.16.840.1.101.3.4.3.17) - Security Level 2
- ML-DSA-65 (2.16.840.1.101.3.4.3.18) - Security Level 3
- ML-DSA-87 (2.16.840.1.101.3.4.3.19) - Security Level 5
- **ML-KEM** (FIPS 203) - Module-Lattice Key Encapsulation Mechanism:
- ML-KEM-512 (2.16.840.1.101.3.4.4.1) - Security Level 1
- ML-KEM-768 (2.16.840.1.101.3.4.4.2) - Security Level 3
- ML-KEM-1024 (2.16.840.1.101.3.4.4.3) - Security Level 5
Note: ML-DSA and ML-KEM are the standardized names for the algorithms previously known as Dilithium and Kyber, respectively. While the current test vectors don't include post-quantum certificates, the parser is ready to recognize them when they become available.
### Expected Failures
Many "failures" are actually correct behavior for intentionally malformed test vectors:
- **Bad Time Formats**: `badasn1time.pem`, `crl_invalid_time.der` - intentionally invalid time encoding
- **Invalid Strings**: `invalid_utf8_common_name.pem`, `crl_issuer_invalid_printable_string.der` - invalid character encodings
- **Unsupported Types**: OCSP responses, CSR files - different ASN.1 structures that aren't X.509 certificates
- **Intentionally Malformed**: Files prefixed with `bad-*` or `invalid-*` are test vectors for error handling
### Requirements
- Git installed and in PATH
- Network access to github.com (first run only)
- ~5 seconds for first run (clones repository)
- Subsequent runs are fast (reuses cloned repository in `tests/vectors/`)
Pre-fetch the vectors to avoid on-demand cloning during tests:
```bash
bash tests/vectors/fetch.sh
```
### Post-Quantum Certificate Test Results
Latest runs against LAMPS working group repositories:
**ML-DSA (Dilithium) Certificates:**
```
Total files: 6
Successfully parsed: 6 (100.0%)
Parsing output:
ML-DSA-44.crt: OK (48 nodes, type: ML-DSA-44)
ML-DSA-44.pub: OK (4 nodes, type: ML-DSA-44 (public key))
ML-DSA-65.crt: OK (48 nodes, type: ML-DSA-65)
ML-DSA-65.pub: OK (4 nodes, type: ML-DSA-65 (public key))
ML-DSA-87.crt: OK (48 nodes, type: ML-DSA-87)
ML-DSA-87.pub: OK (4 nodes, type: ML-DSA-87 (public key))
Signature algorithms:
ML-DSA (PQC): 6 (3 certificates + 3 public keys)
```
**ML-KEM (Kyber) Certificates:**
```
Total files: 6
Successfully parsed: 6 (100.0%)
Parsing output:
ML-KEM-1024.crt: OK (47 nodes, type: ML-DSA-87+ML-KEM-1024)
ML-KEM-1024.pub: OK (4 nodes, type: ML-KEM-1024 (public key))
ML-KEM-512.crt: OK (47 nodes, type: ML-DSA-44+ML-KEM-512)
ML-KEM-512.pub: OK (4 nodes, type: ML-KEM-512 (public key))
ML-KEM-768.crt: OK (47 nodes, type: ML-DSA-65+ML-KEM-768)
ML-KEM-768.pub: OK (4 nodes, type: ML-KEM-768 (public key))
Signature algorithms:
ML-DSA (PQC): 3 (hybrid certificates)
Post-Quantum public keys:
ML-KEM: 6 (3 from certificates + 3 standalone)
```
These are the first real-world post-quantum X.509 certificates, demonstrating hybrid cryptography where certificates use both ML-DSA signatures and ML-KEM public keys.
**File Types:**
- `.crt` files: Full X.509 certificates with signature algorithms
- `.pub` files: Standalone public keys (SubjectPublicKeyInfo structures)
The parser automatically detects SubjectPublicKeyInfo structures and properly identifies them as public key-only files, distinguishing them from full certificates.
### Running the Tests
```bash
# All repositories (Python Cryptography + LAMPS ML-DSA + LAMPS ML-KEM)
cargo test --test cryptography_vectors_tests_extended -- --ignored --nocapture
# Python Cryptography only (207+ files)
cargo test --test cryptography_vectors_tests_extended test_all_cryptography_vectors -- --ignored --nocapture
# LAMPS ML-DSA only
cargo test --test cryptography_vectors_tests_extended test_lamps_ml_dsa_certificates -- --ignored --nocapture
# LAMPS ML-KEM only
cargo test --test cryptography_vectors_tests_extended test_lamps_ml_kem_certificates -- --ignored --nocapture
# Sample test (first 10 files from Python Cryptography)
cargo test --test cryptography_vectors_tests_extended test_cryptography_vectors_sample -- --ignored --nocapture
```
All tests are marked `#[ignore]` by default so they don't run in CI or during normal development (they require network access for git clones).
## See Also
- [test_utils/README.md](test_utils/README.md) - Shared test utilities documentation
- [../benches/README.md](../benches/README.md) - Benchmark suite using the same infrastructure
- [../docs/POST_QUANTUM_OIDS.md](../docs/POST_QUANTUM_OIDS.md) - Post-quantum cryptography OID reference
- [../docs/performance.md](../docs/performance.md) - Performance benchmark results