feat: add integration test for secp384r1_mlkem_1024 (#5438)

johubertj · web-flow · commit c13ea1900f7d · 2025-07-29T17:38:01.000Z
diff --git a/bindings/rust/standard/integration/src/features/mod.rs b/bindings/rust/standard/integration/src/features/mod.rs
@@ -2,4 +2,4 @@
 // SPDX-License-Identifier: Apache-2.0
 
 #[cfg(feature = "pq")]
-mod mldsa;
+mod pq;
diff --git a/bindings/rust/standard/integration/src/features/pq.rs b/bindings/rust/standard/integration/src/features/pq.rs
@@ -20,7 +20,7 @@ pub async fn get_streams() -> Result<(TcpStream, TcpStream), tokio::io::Error> {
 }
 
 #[test_log::test(tokio::test)]
-async fn s2n_client() -> Result<(), Box<dyn std::error::Error>> {
+async fn s2n_mldsa_client() -> Result<(), Box<dyn std::error::Error>> {
     let cert_path = format!("{TEST_PEMS_PATH}mldsa/ML-DSA-87.crt");
     let key_path = format!("{TEST_PEMS_PATH}mldsa/ML-DSA-87-seed.priv");
 
@@ -63,7 +63,7 @@ async fn s2n_client() -> Result<(), Box<dyn std::error::Error>> {
 }
 
 #[test_log::test(tokio::test)]
-async fn s2n_server() -> Result<(), Box<dyn std::error::Error>> {
+async fn s2n_mldsa_server() -> Result<(), Box<dyn std::error::Error>> {
     let cert_path = format!("{TEST_PEMS_PATH}mldsa/ML-DSA-87.crt");
     let key_path = format!("{TEST_PEMS_PATH}mldsa/ML-DSA-87-seed.priv");
 
@@ -99,3 +99,77 @@ async fn s2n_server() -> Result<(), Box<dyn std::error::Error>> {
     );
     Ok(())
 }
+
+#[tokio::test]
+async fn s2n_mlkem_client() -> Result<(), Box<dyn std::error::Error>> {
+    let cert_path = format!("{TEST_PEMS_PATH}permutations/ec_ecdsa_p256_sha384/server-chain.pem");
+    let key_path = format!("{TEST_PEMS_PATH}permutations/ec_ecdsa_p256_sha384/server-key.pem");
+
+    let (server_stream, client_stream) = get_streams().await?;
+
+    // Setup Openssl 3.5 server restricted to SecP384r1MLKEM1024
+    let mut server = {
+        let mut builder = SslContextBuilder::new(SslMethod::tls())?;
+        builder.set_private_key_file(key_path, SslFiletype::PEM)?;
+        builder.set_certificate_chain_file(cert_path.clone())?;
+        builder.set_groups_list("SecP384r1MLKEM1024")?;
+        let context = builder.build();
+        let ssl = Ssl::new(&context)?;
+        SslStream::new(ssl, server_stream)?
+    };
+
+    // Setup s2n-tls client with default_pq
+    let client = {
+        let mut config = Config::builder();
+        config.set_security_policy(&DEFAULT_PQ)?;
+        config.trust_location(Some(Path::new(&cert_path)), None)?;
+        TlsConnector::new(config.build()?)
+    };
+
+    let server_pin = Pin::new(&mut server);
+    let (_, client_result) = tokio::join!(
+        server_pin.accept(),
+        client.connect("localhost", client_stream),
+    );
+
+    let client = client_result?;
+    let conn = client.as_ref();
+    let kem_group = conn.kem_group_name().unwrap();
+    assert_eq!(kem_group, "SecP384r1MLKEM1024");
+    Ok(())
+}
+
+#[tokio::test]
+async fn s2n_mlkem_server() -> Result<(), Box<dyn std::error::Error>> {
+    let cert_path = format!("{TEST_PEMS_PATH}permutations/ec_ecdsa_p256_sha384/server-chain.pem");
+    let key_path = format!("{TEST_PEMS_PATH}permutations/ec_ecdsa_p256_sha384/server-key.pem");
+    let (server_stream, client_stream) = get_streams().await?;
+
+    // Setup Openssl 3.5 client restricted to SecP384r1MLKEM1024
+    let mut client = {
+        let mut builder = SslContextBuilder::new(SslMethod::tls())?;
+        builder.set_ca_file(Path::new(&cert_path))?;
+        builder.set_groups_list("SecP384r1MLKEM1024")?;
+        let context = builder.build();
+        let ssl = Ssl::new(&context)?;
+        SslStream::new(ssl, client_stream)?
+    };
+
+    let server = {
+        let mut config = Config::builder();
+        config.set_security_policy(&DEFAULT_PQ)?;
+        let cert = fs::read(&cert_path)?;
+        let key = fs::read(&key_path)?;
+        config.load_pem(&cert, &key)?;
+        TlsAcceptor::new(config.build()?)
+    };
+
+    let client_pin = Pin::new(&mut client);
+    let (server_result, _) = tokio::join!(server.accept(server_stream), client_pin.connect(),);
+
+    let server = server_result?;
+    let conn = server.as_ref();
+    let kem_group = conn.kem_group_name().unwrap();
+    assert_eq!(kem_group, "SecP384r1MLKEM1024");
+    Ok(())
+}
