fix(xtest): correct X-Wing KAO size assertions for ASN.1 wrappedKey format

[sujankota]

• Fix assert_xwing_kao_sizes in test_pqc.py to match the actual ASN.1 DER wrappedKey format
• wrappedKey contains KEM ciphertext + encrypted DEK + ASN.1 overhead (~1190 bytes), not raw ciphertext (1120 bytes)
• ephemeralPublicKey is None for hybrid-wrapped KAOs (ciphertext is embedded in wrappedKey)

Test plan

• X-Wing roundtrip tests pass size assertions
• X-Wing + EC hybrid roundtrip tests pass size assertions
• secpmlkem tests unaffected (they already assert > XWING_CIPHERTEXT_SIZE)

Summary by CodeRabbit

• Tests
  • Updated validation checks for post-quantum cryptography key structure handling to reflect current hybrid-wrapped key encryption behavior.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates test assertions in assert_xwing_kao_sizes to validate the expected structure of hybrid-wrapped X-Wing KAO objects. The function now checks that wrappedKey exceeds the raw ciphertext size and that ephemeralPublicKey is null, replacing prior expectations of exact sizes and non-null ephemeralPublicKey.

Changes

X-Wing KAO hybrid assertions

Layer / File(s)	Summary
Hybrid-wrapped KAO assertions xtest/test_pqc.py	assert_xwing_kao_sizes updated to validate hybrid-wrapped behavior: wrappedKey must exceed X-Wing ciphertext size, ephemeralPublicKey must be None. Prior assertions for exact wrappedKey size and ephemeralPublicKey presence were removed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A wrapper wraps the key so tight,
Hybrid mode shines in the light,
Ephemeral keys fade to none,
The test assertions now are done! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: correcting X-Wing KAO size assertions to account for ASN.1 wrappedKey format, which aligns perfectly with the changeset that updates the assertion logic in test_pqc.py.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/DSPX-3356-xwing-kao-size-assertions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request updates the assert_xwing_kao_sizes function in xtest/test_pqc.py to reflect changes in the X-Wing Key Access Object (KAO) structure. The assertions now verify that the wrappedKey is larger than the raw ciphertext due to ASN.1 DER framing and that the ephemeralPublicKey is absent. Feedback suggests improving the clarity of the XWING_CIPHERTEXT_SIZE constant's definition and refining the error message for better descriptive consistency.

[gemini-code-assist]

The constant XWING_CIPHERTEXT_SIZE is used here as a lower bound for the wrappedKey size. However, its definition on line 20 includes a comment stating it is the (wrappedKey) size, which is now misleading since the wrappedKey in the new ASN.1 format is significantly larger (~1190 bytes). Consider updating the comment on line 20 to clarify that it refers to the raw KEM ciphertext size. Additionally, the error message can be made more descriptive and consistent with other tests in this file (e.g., lines 221 and 279).

Suggested change

	assert wrapped_len > XWING_CIPHERTEXT_SIZE, (
	f"X-Wing wrappedKey should be > {XWING_CIPHERTEXT_SIZE} bytes, got {wrapped_len}"
	)
	assert wrapped_len > XWING_CIPHERTEXT_SIZE, (
	f"X-Wing wrappedKey should be larger than raw ciphertext ({XWING_CIPHERTEXT_SIZE} bytes), got {wrapped_len}"
	)

[coderabbitai]

🧹 Nitpick comments (2)

xtest/test_pqc.py (2)

275-285: ⚡ Quick win

Consider adding ephemeralPublicKey assertion for consistency.

The assert_xwing_kao_sizes function now validates that ephemeralPublicKey is None for hybrid-wrapped KAOs. If secpmlkem KAOs follow the same hybrid-wrapped pattern, this test should also verify kao.ephemeralPublicKey is None to ensure structural consistency and catch potential regressions.

🔍 Proposed consistency check

 # Verify NIST curve compatible MLKEM hybrid sizes in the KAO and registered public key
 kao = manifest.encryptionInformation.keyAccess[0]
 wrapped_len = _b64_decoded_len(kao.wrappedKey)
 assert wrapped_len > XWING_CIPHERTEXT_SIZE, (
     f"wrappedKey should be larger than {XWING_CIPHERTEXT_SIZE} bytes, got {wrapped_len}"
 )
+assert kao.ephemeralPublicKey is None, (
+    "hybrid-wrapped secpmlkem-5 KAO should not have ephemeralPublicKey"
+)
 pem = key_secpmlkem_5.key.public_key_ctx.pem

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@xtest/test_pqc.py` around lines 275 - 285, The test verifies sizes for
hybrid-wrapped KAOs but misses the structural check; add an assertion that the
KAO's ephemeralPublicKey is None to mirror assert_xwing_kao_sizes behavior.
Locate the block using variables kao and wrapped_len (and the surrounding
secpmlkem key checks) and insert a simple assert kao.ephemeralPublicKey is None
with an explanatory message to ensure secpmlkem hybrid-wrapped KAOs maintain the
same ephemeralPublicKey discipline.

---

217-227: ⚡ Quick win

Consider adding ephemeralPublicKey assertion for consistency.

The assert_xwing_kao_sizes function now validates that ephemeralPublicKey is None for hybrid-wrapped KAOs. If secpmlkem KAOs follow the same hybrid-wrapped pattern, this test should also verify kao.ephemeralPublicKey is None to ensure structural consistency and catch potential regressions.

🔍 Proposed consistency check

 # Verify NIST curve compatible MLKEM hybrid sizes in the KAO and registered public key
 kao = manifest.encryptionInformation.keyAccess[0]
 wrapped_len = _b64_decoded_len(kao.wrappedKey)
 assert wrapped_len > XWING_CIPHERTEXT_SIZE, (
     f"wrappedKey should be larger than {XWING_CIPHERTEXT_SIZE} bytes, got {wrapped_len}"
 )
+assert kao.ephemeralPublicKey is None, (
+    "hybrid-wrapped secpmlkem-3 KAO should not have ephemeralPublicKey"
+)
 pem = key_secpmlkem_3.key.public_key_ctx.pem

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@xtest/test_pqc.py` around lines 217 - 227, The test should assert that the
hybrid-wrapped secpmlkem KAO has no ephemeral public key for consistency; in the
test (inside assert_xwing_kao_sizes / the block using kao and key_secpmlkem_3)
add an assertion that kao.ephemeralPublicKey is None (placed near the
wrapped_len check) so the test verifies the same ephemeralPublicKey == None
invariant as other hybrid-wrapped KAOs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@xtest/test_pqc.py`:
- Around line 275-285: The test verifies sizes for hybrid-wrapped KAOs but
misses the structural check; add an assertion that the KAO's ephemeralPublicKey
is None to mirror assert_xwing_kao_sizes behavior. Locate the block using
variables kao and wrapped_len (and the surrounding secpmlkem key checks) and
insert a simple assert kao.ephemeralPublicKey is None with an explanatory
message to ensure secpmlkem hybrid-wrapped KAOs maintain the same
ephemeralPublicKey discipline.
- Around line 217-227: The test should assert that the hybrid-wrapped secpmlkem
KAO has no ephemeral public key for consistency; in the test (inside
assert_xwing_kao_sizes / the block using kao and key_secpmlkem_3) add an
assertion that kao.ephemeralPublicKey is None (placed near the wrapped_len
check) so the test verifies the same ephemeralPublicKey == None invariant as
other hybrid-wrapped KAOs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2f22d4b2-635a-4d86-b4e2-a00828e07948

📥 Commits

Reviewing files that changed from the base of the PR and between fd312f5 and 1095202.

📒 Files selected for processing (1)

• xtest/test_pqc.py

[github-actions]

X-Test Failure Report

✅ java@v0.15.0-main
✅ java@main-main
✅ go@v0.32.0-main
✅ js@main-main
✅ js@v0.4.0-main
❌ java@main-v0.15.0
❌ go@main-main
❌ js@main-v0.15.0
❌ java@v0.15.0-v0.15.0
❌ go@v0.32.0-v0.15.0
❌ go@main-v0.15.0
❌ js@v0.4.0-v0.15.0