Test coverage expanded

Author: Stephen-Thomson

src/auth/certificates/MasterCertificate.ts

@@ -257,7 +257,7 @@ export class MasterCertificate extends Certificate {
     const certificate = new MasterCertificate(
       certificateType,
       finalSerialNumber,
-      subject,
+      subjectIdentityKey,
       (await certifierWallet.getPublicKey({ identityKey: true })).publicKey,
       revocationOutpoint,
       certificateFields,

src/auth/certificates/__tests/MasterCertificate.test.ts

@@ -356,6 +356,7 @@ describe('MasterCertificate', () => {
         expect(newCert.fields[fieldName]).toMatch(/^[A-Za-z0-9+/]+=*$/)
       }
     })
+
     it('should allow issuing a self-signed certificate and decrypt it with the same wallet', async () => {
       const subjectWallet = new CompletedProtoWallet(subjectKey2)
 
@@ -386,38 +387,38 @@ describe('MasterCertificate', () => {
 
       expect(decrypted).toEqual(selfSignedFields)
     })
-  })
 
-  describe('issueCertificateForSubject subject identity resolution', () => {
     it('resolves subject === "self" to the certifier wallet identity key', async () => {
-      const certifierIdentity = (
+      const certifierWallet = new CompletedProtoWallet(new PrivateKey(99))
+
+      const certifierIdentityKey = (
         await certifierWallet.getPublicKey({ identityKey: true })
       ).publicKey
 
-      const fields = { foo: 'bar' }
-
       const cert = await MasterCertificate.issueCertificateForSubject(
         certifierWallet,
         'self',
-        fields,
+        { name: 'Alice' },
         'TEST_CERT'
       )
 
-      expect(cert.subject).toBe(certifierIdentity)
+      expect(cert.subject).toBe(certifierIdentityKey)
     })
 
     it('uses provided subjectIdentityKey when subject is a valid hex string', async () => {
-    const providedSubject = 'a'.repeat(64); // valid 32-byte hex
+      const certifierWallet = new CompletedProtoWallet(new PrivateKey(42))
 
-    const fields = { foo: 'bar' }
+      const validPubkey =
+        '0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798'
 
-    const cert = await MasterCertificate.issueCertificateForSubject(
-      certifierWallet,
-      providedSubject,
-      fields,
-      'TEST_CERT'
-    )
+      const cert = await MasterCertificate.issueCertificateForSubject(
+        certifierWallet,
+        validPubkey,
+        { name: 'Alice' },
+        'TEST_CERT'
+      )
 
-    expect(cert.subject).toBe(providedSubject)
+      expect(cert.subject).toBe(validPubkey)
+    })
   })
 })

src/primitives/__tests/Hash.test.ts

@@ -3,6 +3,7 @@ import * as hash from '../../primitives/Hash'
 import * as crypto from 'crypto'
 import PBKDF2Vectors from './PBKDF2.vectors'
 import { toArray, toHex } from '../../primitives/utils'
+import { SHA1 } from '../..//primitives/Hash'
 
 describe('Hash', function () {
   function test (Hash, cases): void {
@@ -177,4 +178,27 @@ describe('Hash', function () {
       })
     }
   })
+
+  describe('Hash strict length validation (TOB-21)', () => {
+
+    it('throws when pendingTotal is not a safe integer', () => {
+      const h = new SHA1()
+
+      h.pendingTotal = Number.MAX_SAFE_INTEGER + 10
+
+      expect(() => {
+        h.digest()
+      }).toThrow('Message too long for this hash function')
+    })
+
+    it('throws when pendingTotal is negative', () => {
+      const h = new SHA1()
+
+      h.pendingTotal = -5
+
+      expect(() => {
+        h.digest()
+      }).toThrow('Message too long for this hash function')
+    })
+  })
 })

src/primitives/__tests/utils.test.ts

@@ -320,3 +320,60 @@ describe('verifyNotNull', () => {
     expect(() => verifyNotNull(undefined, 'Another custom error')).toThrow('Another custom error')
   })
 })
+
+describe('toUTF8 strict UTF-8 decoding (TOB-21)', () => {
+
+  //
+  // 1. Replacement for invalid 2-byte continuation
+  //
+  it('replaces invalid 2-byte sequences with U+FFFD', () => {
+    // 0xC2 should expect a continuation byte 0x80–0xBF
+    const arr = [0xC2, 0x20]   // 0x20 is INVALID continuation
+    const str = toUTF8(arr)
+    expect(str).toBe('\uFFFD')
+  })
+
+  //
+  // 2. Valid 3-byte UTF-8 (e.g., "€")
+  //
+  it('decodes valid 3-byte sequences', () => {
+    const euro = [0xE2, 0x82, 0xAC]
+    expect(toUTF8(euro)).toBe('€')
+  })
+
+  //
+  // 3. Replacement for invalid 3-byte sequence
+  //
+  it('replaces invalid 3-byte sequences', () => {
+    // Middle byte invalid
+    const arr = [0xE2, 0x20, 0xAC]
+    expect(toUTF8(arr)).toBe('\uFFFD')
+  })
+
+  //
+  // 4. Valid 4-byte UTF-8 (e.g., U+1F600 😀)
+  //
+  it('decodes valid 4-byte sequences into surrogate pairs', () => {
+    const smile = [0xF0, 0x9F, 0x98, 0x80] // 😀
+    expect(toUTF8(smile)).toBe('😀')
+  })
+
+  //
+  // 5. Replacement for invalid 4-byte sequence
+  //
+  it('replaces invalid 4-byte sequences with U+FFFD', () => {
+    // 0x9F is valid, 0x20 is INVALID continuation for byte 3
+    const arr = [0xF0, 0x9F, 0x20, 0x80]
+    expect(toUTF8(arr)).toBe('\uFFFD')
+  })
+
+  //
+  // 6. Replacement of incomplete sequences at end of array
+  //
+  it('replaces incomplete UTF-8 sequence at end', () => {
+    const arr = [0xE2] // incomplete 3-byte seq
+    expect(toUTF8(arr)).toBe('\uFFFD')
+  })
+
+})
+

src/primitives/utils.ts

@@ -242,6 +242,7 @@ export const toUTF8 = (arr: number[]): string => {
       const byte2 = arr[i + 1]
       if ((byte2 & 0xc0) !== 0x80) {
         emitReplacement()
+        i += 1
         continue
       }
       const codePoint = ((byte1 & 0x1f) << 6) | (byte2 & 0x3f)
@@ -258,6 +259,7 @@ export const toUTF8 = (arr: number[]): string => {
       const byte3 = arr[i + 2]
       if ((byte2 & 0xc0) !== 0x80 || (byte3 & 0xc0) !== 0x80) {
         emitReplacement()
+        i += 2
         continue
       }
       const codePoint =
@@ -283,6 +285,7 @@ export const toUTF8 = (arr: number[]): string => {
         (byte4 & 0xc0) !== 0x80
       ) {
         emitReplacement()
+         i += 3
         continue
       }
       const codePoint =