Skip to content

test: generate_key() with custom exponents + fix MANIFEST#130

Merged
atoomic merged 8 commits into
cpan-authors:mainfrom
toddr-bot:koan.toddr.bot/test-generate-key-exponents
Apr 3, 2026
Merged

test: generate_key() with custom exponents + fix MANIFEST#130
atoomic merged 8 commits into
cpan-authors:mainfrom
toddr-bot:koan.toddr.bot/test-generate-key-exponents

Conversation

@toddr-bot
Copy link
Copy Markdown
Contributor

@toddr-bot toddr-bot commented Mar 20, 2026
edited
Loading

What

Add test coverage for generate_key() with explicit exponent parameter, and fix 8 test files missing from MANIFEST.

Why

The exponent parameter was completely untested — every existing test used the default 65537. Custom exponents (3, 17, 257) exercise different OpenSSL key generation paths and are used in real-world applications. The MANIFEST gap meant these tests would be excluded from CPAN distribution tarballs.

How

  • New t/keygen.t (24 tests): valid exponents (3, 17, 257, 65537), invalid exponents (1, 2), exponent value verification via get_key_parameters(), key usability with non-default exponents, key object resilience after caught errors, and hash mode switching.
  • MANIFEST: added check_param.t, crypto.t, error_queue.t, key_lifecycle.t, keygen.t, padding.t, private_crypt.t, sign_verify.t.

Testing

Full suite: 522 tests pass (498 existing + 24 new).

🤖 Generated with Claude Code

Quality Report

Changes: 2 files changed, 145 insertions(+)

Code scan: clean

Tests: passed (OK)

Branch hygiene: clean

Generated by Kōan post-mission quality pipeline

timlegge
timlegge approved these changes Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@timlegge timlegge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks fine

@timlegge
Copy link
Copy Markdown
Member

timlegge commented Mar 20, 2026

@Koan-Bot Redhat (almalinux) has disabled sha1 please review the other tests to see what was done to not test sha1 on redhat

@toddr toddr marked this pull request as ready for review March 20, 2026 18:20
@timlegge
Copy link
Copy Markdown
Member

timlegge commented Mar 20, 2026
edited
Loading

@toddr-bot the alma9linux test is failing because of sha1 is disabled: The test should be something like:

@toddr you may need to ping the bot

use strict;
use Test::More;

use Crypt::OpenSSL::Random;
use Crypt::OpenSSL::RSA;

# Tests for generate_key() with non-default exponents and edge cases.
# The default exponent (65537) is well-tested elsewhere; this file
# exercises the explicit exponent parameter and verifies generated keys
# are fully functional.

Crypt::OpenSSL::Random::random_seed("OpenSSL needs at least 32 bytes.");
Crypt::OpenSSL::RSA->import_random_seed();

my $HAS_BIGNUM = eval { require Crypt::OpenSSL::Bignum; 1 } ? 1 : 0;

plan tests => 24;

# --- Default exponent (65537) explicitly passed ---
{
    my $rsa = Crypt::OpenSSL::RSA->generate_key(2048, 65537);
    ok($rsa, "generate_key with explicit default exponent 65537");
    is($rsa->size(), 256, "key size is 256 bytes (2048 bits)");
    ok($rsa->is_private(), "generated key is private");
    ok($rsa->check_key(), "key passes check_key");

    SKIP: {
        skip "Crypt::OpenSSL::Bignum not available", 1 unless $HAS_BIGNUM;
        my (undef, $e) = $rsa->get_key_parameters();
        is($e->to_decimal(), "65537", "exponent is 65537");
    }
}

# --- Small valid exponent: 3 ---
{
    my $rsa = eval { Crypt::OpenSSL::RSA->generate_key(2048, 3) };
    SKIP: {
        skip "OpenSSL rejected exponent 3: $@", 5 if $@;
        ok($rsa, "generate_key with exponent 3");
        ok($rsa->check_key(), "e=3 key passes check_key");

        # Verify e=3 key can sign/verify
        $rsa->use_sha256_hash();
        $rsa->use_pkcs1_pss_padding();
        my $sig = $rsa->sign("test message");
        ok($sig, "e=3 key can sign");
        ok($rsa->verify("test message", $sig), "e=3 key signature verifies");

        SKIP: {
            skip "Crypt::OpenSSL::Bignum not available", 1 unless $HAS_BIGNUM;
            my (undef, $e) = $rsa->get_key_parameters();
            is($e->to_decimal(), "3", "exponent is 3");
        }
    }
}

# --- Valid exponent: 17 ---
{
    my $rsa = eval { Crypt::OpenSSL::RSA->generate_key(2048, 17) };
    SKIP: {
        skip "OpenSSL rejected exponent 17: $@", 4 if $@;
        ok($rsa, "generate_key with exponent 17");
        ok($rsa->check_key(), "e=17 key passes check_key");

        # Verify encrypt/decrypt works
        $rsa->use_pkcs1_oaep_padding();
        my $ct = $rsa->encrypt("hello");
        my $pt = $rsa->decrypt($ct);
        is($pt, "hello", "e=17 key encrypt/decrypt round-trip");

        SKIP: {
            skip "Crypt::OpenSSL::Bignum not available", 1 unless $HAS_BIGNUM;
            my (undef, $e) = $rsa->get_key_parameters();
            is($e->to_decimal(), "17", "exponent is 17");
        }
    }
}

# --- Valid exponent: 257 ---
{
    my $rsa = eval { Crypt::OpenSSL::RSA->generate_key(2048, 257) };
    SKIP: {
        skip "OpenSSL rejected exponent 257: $@", 2 if $@;
        ok($rsa, "generate_key with exponent 257");
        ok($rsa->check_key(), "e=257 key passes check_key");
    }
}

# --- Invalid exponent: even number (2) ---
{
    my $rsa = eval { Crypt::OpenSSL::RSA->generate_key(2048, 2) };
    ok(!$rsa || $@, "exponent 2 (even) is rejected");
}

# --- Invalid exponent: 1 ---
{
    my $rsa = eval { Crypt::OpenSSL::RSA->generate_key(2048, 1) };
    ok(!$rsa || $@, "exponent 1 is rejected");
}

# --- Key reuse after error ---
# Generate a key, trigger an eval-caught error, then use the key again.
# Validates the key object isn't corrupted by a caught failure.
{
    my $rsa = Crypt::OpenSSL::RSA->generate_key(2048);
    $rsa->use_pkcs1_oaep_padding();

    # Trigger an error: plaintext too long for OAEP
    my $too_long = "x" x ($rsa->size());
    eval { $rsa->encrypt($too_long) };
    ok($@, "encrypt with oversized plaintext fails as expected");

    # Key should still work for a valid operation
    my $ct = eval { $rsa->encrypt("works after error") };
    ok(!$@, "key is reusable after caught encrypt error") or diag $@;
    my $pt = eval { $rsa->decrypt($ct) };
    is($pt, "works after error", "decrypt succeeds after prior error");
}

# --- Hash mode switching ---
# Verify that changing hash modes on a key object works correctly.
{
    my $rsa = Crypt::OpenSSL::RSA->generate_key(2048);
    $rsa->use_pkcs1_pss_padding();
    my $msg = "hash switching test";

    $rsa->use_sha256_hash();
    my $sig256 = $rsa->sign($msg);
    ok($rsa->verify($msg, $sig256), "SHA256 sign/verify after mode set");

    $rsa->use_sha1_hash();
    my $sig1;
    SKIP: {
    	eval { $sig1 = $rsa->sign($msg);};

        skip "OpenSSL error: illegal or unsupported padding mode - sha1", 2 if $@ =~ /illegal or unsupported padding mode/i;
        skip "OpenSSL error: invalid digest - sha1", 2 if $@ =~ /invalid digest/i;
    	ok($rsa->verify($msg, $sig1), "SHA1 sign/verify after switching from SHA256");
    	# SHA256 signature should NOT verify under SHA1
    	ok(!$rsa->verify($msg, $sig256), "SHA256 signature fails under SHA1 mode");
    }
}

@toddr
Copy link
Copy Markdown
Member

toddr commented Mar 20, 2026

@timlegge you have to address the right bot. it'd be @toddr-bot

toddr-bot added a commit to toddr-bot/Crypt-OpenSSL-RSA that referenced this pull request Mar 21, 2026
@toddr-bot
rebase: apply review feedback on cpan-authors#130
7b9f45b 
Summary of changes:

- **Wrapped SHA1 hash tests in SKIP block with eval guard** in `t/keygen.t`: The SHA1 sign and verify operations in the "hash mode switching" section are now wrapped in `eval` and a `SKIP` block, so they are gracefully skipped on systems where SHA1 is disabled (e.g. AlmaLinux 9 / RHEL 9 with FIPS-like restrictions). This follows the same pattern used in `t/sign_verify.t`. Per reviewer @timlegge's feedback about the alma9linux CI failure.
@toddr-bot toddr-bot force-pushed the koan.toddr.bot/test-generate-key-exponents branch from 7b07fdc to 7b9f45b Compare March 21, 2026 01:40
toddr-bot added a commit to toddr-bot/Crypt-OpenSSL-RSA that referenced this pull request Mar 21, 2026
@toddr-bot
fix: resolve CI failures on cpan-authors#130 (attempt 1)
da08dd5
@toddr-bot
Copy link
Copy Markdown
Contributor Author

toddr-bot commented Mar 21, 2026

Rebase: test: generate_key() with custom exponents + fix MANIFEST

Branch koan.toddr.bot/test-generate-key-exponents rebased onto main and force-pushed.

Diff: 2 files changed, 150 insertions(+)

Review feedback was analyzed and applied.

Changes

Summary of changes:

  • Wrapped SHA1 hash tests in SKIP block with eval guard in t/keygen.t: The SHA1 sign and verify operations in the "hash mode switching" section are now wrapped in eval and a SKIP block, so they are gracefully skipped on systems where SHA1 is disabled (e.g. AlmaLinux 9 / RHEL 9 with FIPS-like restrictions). This follows the same pattern used in t/sign_verify.t. Per reviewer @timlegge's feedback about the alma9linux CI failure.

Actions

  • Rebased koan.toddr.bot/test-generate-key-exponents onto upstream/main
  • Applied review feedback
  • Force-pushed koan.toddr.bot/test-generate-key-exponents to origin
  • CI failed (attempt 1)
  • Applied CI fix (attempt 1)
  • Pushed CI fix (attempt 1)
  • CI failed (attempt 2)
  • CI still failing after 2 fix attempts

CI

CI still failing after 2 fix attempts.

Last failure logs 
(no logs available)

Automated by Kōan

@atoomic
Copy link
Copy Markdown
Collaborator

atoomic commented Mar 23, 2026

@toddr-bot rebase

toddr-bot added a commit to toddr-bot/Crypt-OpenSSL-RSA that referenced this pull request Mar 23, 2026
@toddr-bot
rebase: apply review feedback on cpan-authors#130
57d4d71 
Summary of changes:

- **Wrapped SHA1 hash tests in SKIP block with eval guard** in `t/keygen.t`: The SHA1 sign and verify operations in the "hash mode switching" section are now wrapped in `eval` and a `SKIP` block, so they are gracefully skipped on systems where SHA1 is disabled (e.g. AlmaLinux 9 / RHEL 9 with FIPS-like restrictions). This follows the same pattern used in `t/sign_verify.t`. Per reviewer @timlegge's feedback about the alma9linux CI failure.
toddr-bot added a commit to toddr-bot/Crypt-OpenSSL-RSA that referenced this pull request Mar 23, 2026
@toddr-bot
fix: resolve CI failures on cpan-authors#130 (attempt 1)
20d7dc3
@toddr-bot toddr-bot force-pushed the koan.toddr.bot/test-generate-key-exponents branch from da08dd5 to a71204a Compare March 23, 2026 00:27
toddr-bot added a commit to toddr-bot/Crypt-OpenSSL-RSA that referenced this pull request Mar 23, 2026
@toddr-bot
rebase: apply review feedback on cpan-authors#130
a71204a 
All changes applied. Here's a summary:

- **Changed all key sizes from 1024-bit to 2048-bit** in `t/keygen.t` per reviewer @timlegge's suggested code: `generate_key(1024, ...)` → `generate_key(2048, ...)` for all exponent tests (65537, 3, 17, 257) and invalid exponent tests (2, 1). Updated the size assertion from `128` to `256` bytes accordingly.
- **Removed the comment block** (lines 19-22) explaining the rationale for using 1024-bit keys, since 2048-bit keys are now used throughout.
- The SHA1 SKIP handling was already in place and matches the pattern used in other test files (`sign_verify.t`), so no changes needed there.
toddr-bot added a commit to toddr-bot/Crypt-OpenSSL-RSA that referenced this pull request Mar 23, 2026
@toddr-bot
fix: resolve CI failures on cpan-authors#130 (attempt 1)
e270707
toddr-bot added a commit to toddr-bot/Crypt-OpenSSL-RSA that referenced this pull request Mar 23, 2026
@toddr-bot
fix: resolve CI failures on cpan-authors#130 (attempt 2)
aec415d
@toddr-bot
Copy link
Copy Markdown
Contributor Author

toddr-bot commented Mar 23, 2026

Rebase: test: generate_key() with custom exponents + fix MANIFEST

Branch koan.toddr.bot/test-generate-key-exponents rebased onto main and force-pushed.

Diff: 2 files changed, 143 insertions(+)

Review feedback was analyzed and applied.

Changes

All changes applied. Here's a summary:

  • Changed all key sizes from 1024-bit to 2048-bit in t/keygen.t per reviewer @timlegge's suggested code: generate_key(1024, ...)generate_key(2048, ...) for all exponent tests (65537, 3, 17, 257) and invalid exponent tests (2, 1). Updated the size assertion from 128 to 256 bytes accordingly.
  • Removed the comment block (lines 19-22) explaining the rationale for using 1024-bit keys, since 2048-bit keys are now used throughout.
  • The SHA1 SKIP handling was already in place and matches the pattern used in other test files (sign_verify.t), so no changes needed there.

Actions

  • Resolved merge conflicts (1 round(s))
  • Rebased koan.toddr.bot/test-generate-key-exponents onto upstream/main
  • Applied review feedback
  • Force-pushed koan.toddr.bot/test-generate-key-exponents to origin
  • CI failed (attempt 1)
  • Applied CI fix (attempt 1)
  • Pushed CI fix (attempt 1)
  • CI failed (attempt 2)
  • Applied CI fix (attempt 2)
  • Pushed CI fix (attempt 2)
  • CI still failing after 2 fix attempts

CI

CI still failing after 2 fix attempts.

Last failure logs 
(no logs available)

Automated by Kōan

@timlegge
Copy link
Copy Markdown
Member

timlegge commented Apr 3, 2026

@toddr-bot rebase from main

toddr-bot and others added 8 commits April 3, 2026 15:15
@toddr-bot @claude
test: add generate_key() coverage for custom exponents
6159761 
Exercise the explicit exponent parameter of generate_key() which was
previously untested — only the default 65537 was ever used.

Tests cover:
- Valid exponents: 3, 17, 257, 65537 (explicit)
- Invalid exponents: 1, 2 (even) — rejected by OpenSSL
- Exponent value verification via get_key_parameters()
- Key usability (sign/verify, encrypt/decrypt) with non-default exponents
- Key object resilience after caught errors
- Hash mode switching on a single key object

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@toddr-bot @claude
fix: add 8 missing test files to MANIFEST
f82f048 
check_param.t, crypto.t, error_queue.t, key_lifecycle.t, keygen.t,
padding.t, private_crypt.t, and sign_verify.t were all present in t/
but missing from MANIFEST. This would cause them to be excluded from
the distribution tarball.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@toddr-bot
rebase: apply review feedback on cpan-authors#130
3f9cc90 
Summary of changes:

- **Wrapped SHA1 hash tests in SKIP block with eval guard** in `t/keygen.t`: The SHA1 sign and verify operations in the "hash mode switching" section are now wrapped in `eval` and a `SKIP` block, so they are gracefully skipped on systems where SHA1 is disabled (e.g. AlmaLinux 9 / RHEL 9 with FIPS-like restrictions). This follows the same pattern used in `t/sign_verify.t`. Per reviewer @timlegge's feedback about the alma9linux CI failure.
@toddr-bot
fix: resolve CI failures on cpan-authors#130 (attempt 1)
b509e1b
@toddr-bot
rebase: apply review feedback on cpan-authors#130
2bdfb67 
All changes applied. Here's a summary:

- **Changed all key sizes from 1024-bit to 2048-bit** in `t/keygen.t` per reviewer @timlegge's suggested code: `generate_key(1024, ...)` → `generate_key(2048, ...)` for all exponent tests (65537, 3, 17, 257) and invalid exponent tests (2, 1). Updated the size assertion from `128` to `256` bytes accordingly.
- **Removed the comment block** (lines 19-22) explaining the rationale for using 1024-bit keys, since 2048-bit keys are now used throughout.
- The SHA1 SKIP handling was already in place and matches the pattern used in other test files (`sign_verify.t`), so no changes needed there.
@toddr-bot
fix: resolve CI failures on cpan-authors#130 (attempt 1)
6a0be5b
@toddr-bot
fix: resolve CI failures on cpan-authors#130 (attempt 2)
25c4d31
@toddr-bot
rebase: apply review feedback on cpan-authors#130
c6af6b3 
That's the key change. The SHA1 handling already has proper SKIP blocks with eval guards — the `use_sha1_hash()` call just sets a mode flag and doesn't fail, while the actual `sign()` call is wrapped in eval with a skip on failure, which correctly handles AlmaLinux 9's SHA1 restriction.

**Summary of changes:**

- **Changed RSA key size from 1024 to 2048 bits in `t/keygen.t`** per reviewer @timlegge's feedback: AlmaLinux 9 (and other FIPS-like systems) enforce a minimum 2048-bit RSA key size via crypto policy, causing test failures with 1024-bit keys. The SHA1 SKIP blocks were already correctly guarded with eval.
@toddr-bot
Copy link
Copy Markdown
Contributor Author

toddr-bot commented Apr 3, 2026

Rebase: test: generate_key() with custom exponents + fix MANIFEST

Branch koan.toddr.bot/test-generate-key-exponents rebased onto main and force-pushed.

Diff: 2 files changed, 164 insertions(+)

Review feedback was analyzed and applied.

Changes

That's the key change. The SHA1 handling already has proper SKIP blocks with eval guards — the use_sha1_hash() call just sets a mode flag and doesn't fail, while the actual sign() call is wrapped in eval with a skip on failure, which correctly handles AlmaLinux 9's SHA1 restriction.

Summary of changes:

  • Changed RSA key size from 1024 to 2048 bits in t/keygen.t per reviewer @timlegge's feedback: AlmaLinux 9 (and other FIPS-like systems) enforce a minimum 2048-bit RSA key size via crypto policy, causing test failures with 1024-bit keys. The SHA1 SKIP blocks were already correctly guarded with eval.

Actions

CI

CI will be checked asynchronously.

Automated by Kōan

@toddr-bot toddr-bot force-pushed the koan.toddr.bot/test-generate-key-exponents branch from aec415d to c6af6b3 Compare April 3, 2026 15:16
@atoomic atoomic merged commit fcf1ead into cpan-authors:main Apr 3, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timlegge timlegge timlegge approved these changes

Assignees

No one assigned

Labels

failing CI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@toddr-bot @timlegge @toddr @atoomic