README
¶
SimulatorAPI Test Suite — README
(AI generated)
This doc explains what the tests cover, how to run them, what files they write, and how to interpret results. It matches the setup with one CA (C1) and one logger (L1), where leaves used to compute the STH include RN and omit PoI (omitempty).
Overview
The test suite validates:
- Server liveness (
/healthz) - Certificates feed (
/certificates) — dumped to disk - Periodic update bundle (
/update) — STH/SRH + threshold signatures (BLS) + DCRV - PoI verification for every certificate against the STH root
- CRV summary and mutation (
/crv,/crv/revoke) - Period advancement (
POST /advance) with refreshed artifacts & signatures
Prerequisites
- Go 1.21+
- Module deps resolved:
go mod tidy - Local files:
testconfig.json(CTng crypto config with DSS/TSS keys)testsettings.json(CTng settings)
- The test and the server use
github.com/herumi/bls-go-binary/bls(must match whatdefuses)
The tests load
testconfig.jsonfrom the current working directory. Rungo testfrom that directory or adjust the path in the helper.
Run the Server
go run . -config testconfig.json -settings testsettings.json -listen :8080
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /healthz |
Plain liveness (“ok”). |
| GET | /certificates |
Returns all certificates (struct includes RN + PoI). |
| GET | /crv |
Summary: size, revoked_count, last_updated_at. |
| POST | /crv/revoke |
Body: {"index": <uint>}; sets a bit in CRV; returns counts. |
| GET | /update |
Bundle: period, sth, srh, dcrv, and threshold signature payloads. |
| POST | /advance |
Advances period by 1; recomputes artifacts; returns fresh /update. |
STH Leaf Encoding
- Included:
SerialNumber,CAID,LoggerID,IssuedAt,Payload,RN - Omitted:
PoI(explicitly cleared before marshaling)
The test’s encodeLeafForSTH mirrors this exactly.
Tests
Test_EndToEnd_Update_Certs_CRV_PoI_ThresholdSigs_Advance
Flow:
GET /healthzGET /certificates→ dump tooutput_certificates.txtGET /update→ dump tooutput_update.txt- Rebuild
def.ThresholdSigfrom payloads - Verify
sthSig.Verify(json(STH), TSS_public_map)→ must pass - Verify
srhSig.Verify(json(SRH), TSS_public_map)→ must pass
- Rebuild
- PoI verification for every cert (two-step):
- Build leaf via
encodeLeafForSTH(cert)(PoI cleared, RN included) - Try
def.VerifyPOI(upd.STH, cert.PoI, leaf) - If that fails, try
def.VerifyPOI2(upd.STH.Head, cert.PoI.Proof, leaf) - All certs must pass (either path)
- Build leaf via
GET /crv→ dump tooutput_crv.txtPOST /crv/revoke(index=5) → dump tooutput_crv_revoke.txtPOST /advance→ dump tooutput_advance.txt- Check
periodincreased by 1 - Re-verify STH/SRH threshold sigs
- Check
Run:
# server must already be running
go test -run Test_EndToEnd_Update_Certs_CRV_PoI_ThresholdSigs_Advance -v
Benchmark_VerifyPOIs (optional)
Micro-benchmark of PoI verification cost:
- Warm-up: fetch
/certificatesand/update - Loop: verify each PoI with the same two-step approach
- Reports allocs/time
Run:
go test -bench=Benchmark_VerifyPOIs -benchtime=1x -cpu=1 -run ^$
Output Files
Generated in the working directory:
output_certificates.txt— pretty JSON of cert array (includesRN+PoIfor clients)output_update.txt— pretty JSON ofperiod,sth,srh,dcrv, and threshold sig payloadsoutput_crv.txt— CRV summaryoutput_crv_revoke.txt— revocation response for index 5output_advance.txt— fresh update bundle after period advancement
Expected Results
- Threshold signatures (BLS): both
STHandSRHpayloads verify true usingcrypto.TSS_public_map - PoIs: every certificate’s PoI passes verification (direct STH method or fallback root+proof)
- Advance period: period increments by exactly 1, and new STH/SRH signatures verify
Troubleshooting
-
PoIs all fail
- Ensure the leaf bytes match server encoding:
RNpresent and correct,PoIomitted - Use the
def.VerifyPOI/def.VerifyPOI2helpers (consistent merkletree config)
- Ensure the leaf bytes match server encoding:
-
Threshold sigs fail
testconfig.jsonmust match server keys- Ensure the test and
defboth usegithub.com/herumi/bls-go-binary/bls - Make sure you have at least
crypto.Thresholdmonitor TSS keys
-
HTTP errors (404/405)
- Confirm
/advanceis registered:mux.HandleFunc("/advance", server.handleAdvancePeriod) - Restart the server after code changes
- Confirm
-
Missing
testconfig.json- Run
go testfrom the directory containing the file, or adjust the path in the test
- Run
Determinism & Reproducibility
IssuedAtuses current time at server startup, so roots change across runs.- For stable roots:
- Fix
IssuedAtto a constant during generation, or - Cache generated certs and reuse them
- Fix
Design Recap
- Topology: single CA (C1) and single logger (L1)
- RN: per-CA index
[0..N-1]and included in leaf JSON - PoI: attached to each cert for clients; omitted from leaf
- STH: Merkle root over JSON(cert with
PoIcleared,RNpresent) - SRH:
Head = SHA256(CRV) || SHA256(Compress(CRV)) - Threshold signatures: BLS over JSON of STH/SRH, verified against aggregated monitor public keys
If you change what fields are serialized into STH leaves, update encodeLeafForSTH accordingly so tests remain aligned with the server.
Documentation
¶
There is no documentation for this package.