Skip to content

test(integration): add mTLS integration tests #5638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 31 commits into from
Dec 4, 2025
Merged

test(integration): add mTLS integration tests #5638

merged 31 commits into from
Dec 4, 2025

Conversation

@kaukabrizvi
Copy link
Contributor

@kaukabrizvi kaukabrizvi commented Nov 25, 2025
edited
Loading

Goal

Add mTLS integration tests for certificate-validation callbacks that exercise both synchronous and asynchronous validation across TLS versions and implementations, without changing the public Rust callback API. (This PR adds Rustls↔s2n coverage; additional libraries will be added in follow-up work.)

Why

The existing Rust bindings only supported synchronous certificate validation. We still need async coverage to match the C API and to ensure regression coverage for real-world mTLS deployments. Adding these integration tests gives us the missing end-to-end mTLS coverage required to detect changes in cert-validation behavior with different peers and protocol versions.

How

  • Wire asynchronous certificate validation in the integration tests directly through s2n_tls_sys (C FFI) instead of exposing a new async callback in the public Rust bindings. The async behavior is effectively test-only and remains internal until bindings: ConnectionFuture 'static bound blocks async interfaces bindings: ConnectionFuture 'static bound blocks async interfaces #5469 is resolved.
  • Add mTLS integration coverage across both directions (rustls→s2n and s2n→rustls) and both protocol versions (TLS 1.2 and TLS 1.3) with three test variants: basic mTLS, synchronous cert validation, and asynchronous cert validation.

Callouts

  • The async path is wired via s2n_tls_sys in the Rust integration tests only; the public Rust callback traits and builder API remain unchanged.
  • Rustls and s2n can emit multi-message handshake records in TLS 1.3, which triggers a known async-validation bug in s2n’s C state machine. These async tests are therefore ignored until fix: refactor negotiate loop to fix issue with async callback #5641 lands. TLS 1.2 avoids multi-message flights on the client side, so the TLS 1.2 rustls→s2n async case passes and is not ignored.
  • The async tests model the intended usage pattern where certificate validation may complete on a different thread than the handshake driver.

Testing

  • Confirmed the full Rust integration suite passes across all supported libcryptos via the CodeBuild job.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Nov 25, 2025
@kaukabrizvi kaukabrizvi changed the title test(integration): add async-capable cert validation callback and mTLS tests test(integration): add async-capable cert validation binding and mTLS tests Nov 25, 2025
@maddeleine maddeleine mentioned this pull request Nov 25, 2025
Open
@kaukabrizvi kaukabrizvi marked this pull request as ready for review November 25, 2025 20:33
@kaukabrizvi kaukabrizvi changed the title test(integration): add async-capable cert validation binding and mTLS tests test(integration): add add mTLS integration tests Nov 25, 2025
@kaukabrizvi kaukabrizvi changed the title test(integration): add add mTLS integration tests test(integration): add mTLS integration tests Nov 25, 2025
maddeleine
maddeleine reviewed Nov 26, 2025
View reviewed changes
jmayclin
jmayclin reviewed Dec 1, 2025
View reviewed changes
@kaukabrizvi kaukabrizvi removed the request for review from CarolYeh910 December 1, 2025 19:18
@kaukabrizvi
Copy link
Contributor Author

kaukabrizvi commented Dec 2, 2025

@jmayclin @maddeleine For async cert validation, instead of extending the Rust public API, the integration tests now register an async cert validation callback directly via s2n_tls_sys::s2n_config_set_cert_validation_cb. The tests define a C-style callback (test_async_cert_cb) and a small context struct that tracks invocation count and sends the s2n_cert_validation_info* over a channel. The async tests then call s2n_cert_validation_accept on that pointer to resume the handshake. This lets us exercise the async cert validation path end-to-end without exposing any new async Rust API surface.

@kaukabrizvi kaukabrizvi requested a review from jmayclin December 2, 2025 21:06
jmayclin
jmayclin approved these changes Dec 3, 2025
View reviewed changes
maddeleine
maddeleine approved these changes Dec 3, 2025
View reviewed changes
@kaukabrizvi kaukabrizvi enabled auto-merge December 3, 2025 23:24
@kaukabrizvi kaukabrizvi added this pull request to the merge queue Dec 4, 2025
Merged via the queue into aws:main with commit 7f4ad74 Dec 4, 2025
53 checks passed
@kaukabrizvi kaukabrizvi deleted the mTLS-integ-rust branch December 4, 2025 00:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmayclin jmayclin jmayclin approved these changes

@maddeleine maddeleine maddeleine approved these changes

Assignees

No one assigned

Labels

s2n-core team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kaukabrizvi @jmayclin @maddeleine