mozilla-services · jmhodges · Nov 5, 2024 · Nov 5, 2024 · Nov 5, 2024 · Nov 5, 2024
@@ -70,6 +70,27 @@ jobs:
         with:
           args: --timeout 5m
 
+  xpi-test-profile:
+    name: Profile the signer/xpi tests
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "./go.mod"
+
+      - name: Profile signer/xpi tests
+        run: go test -v -race -count=1 -o ./signer-xpi-tests -v -cpuprofile=cpu.prof -memprofile=mem.prof ./signer/xpi
+      - uses: actions/upload-artifact@v4
+        with:
+          name: signer-xpi-prof-${{ github.sha }}
+          path: |
+            cpu.prof
+            mem.prof
+            signer-xpi-tests
+
   unit-tests:
     name: Run Unit Tests
     runs-on: ubuntu-22.04

@@ -9,6 +9,7 @@ package main
 //go:generate ./version.sh
 
 import (
+	"crypto/rsa"
 	"crypto/sha256"
 	"flag"
 	"fmt"
@@ -476,7 +477,7 @@ func (a *autographer) addSigners(signerConfs []signer.Configuration) error {
 				return fmt.Errorf("failed to add signer %q: %w", signerConf.ID, err)
 			}
 		case xpi.Type:
-			s, err = xpi.New(signerConf, statsClient)
+			s, err = xpi.New(signerConf, rsa.GenerateKey, statsClient)
 			if err != nil {
 				return fmt.Errorf("failed to add signer %q: %w", signerConf.ID, err)
 			}

@@ -75,8 +75,10 @@ func TestIntToCOSEAlg(t *testing.T) {
 func TestGenerateCOSEKeyPair(t *testing.T) {
 	// returns an initialized XPI signer
 	initSigner := func(t *testing.T) *XPISigner {
+		keyGen := newTestRSAKeyGen()
+
 		testcase := validSignerConfigs[0]
-		s, err := New(testcase, nil)
+		s, err := New(testcase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("signer initialization failed with: %v", err)
 		}
@@ -507,7 +509,8 @@ func TestVerifyCOSESignaturesErrs(t *testing.T) {
 		t.Fatalf("error unmarshaling invalidSigBytes %q", err)
 	}
 
-	s, err := New(validSignerConfigs[0], nil)
+	keyGen := newTestRSAKeyGen()
+	s, err := New(validSignerConfigs[0], keyGen.GenerateKey, nil)
 	if err != nil {
 		t.Fatalf("signer initialization failed with: %q", err)
 	}
@@ -829,6 +832,7 @@ func TestVerifyCOSESignaturesErrs(t *testing.T) {
 	}
 
 	for i, testcase := range cases {
+		keyGen.Reset()
 		err := verifyCOSESignatures(testcase.fin, testcase.roots, testcase.opts, testcase.verificationTime)
 		anyMatches := false
 		for _, result := range testcase.results {
@@ -845,7 +849,8 @@ func TestVerifyCOSESignaturesErrs(t *testing.T) {
 func TestIssueCOSESignatureErrs(t *testing.T) {
 	t.Parallel()
 
-	signer, err := New(validSignerConfigs[0], nil)
+	keyGen := newTestRSAKeyGen()
+	signer, err := New(validSignerConfigs[0], keyGen.GenerateKey, nil)
 	if err != nil {
 		t.Fatalf("signer initialization failed with: %v", err)
 	}
@@ -856,12 +861,14 @@ func TestIssueCOSESignatureErrs(t *testing.T) {
 		t.Fatalf("issueCOSESignature did not error on empty signer.issuerCert.Raw")
 	}
 
+	keyGen.Reset()
 	signer.issuerCert = nil
 	_, err = signer.issueCOSESignature("cn", []byte("manifest"), []*cose.Algorithm{cose.ES256})
 	if err == nil {
 		t.Fatalf("issueCOSESignature did not error on nil signer.issuerCert")
 	}
 
+	keyGen.Reset()
 	signer = nil
 	_, err = signer.issueCOSESignature("cn", []byte("manifest"), []*cose.Algorithm{cose.ES256})
 	if err == nil {

@@ -1,14 +1,15 @@
 package xpi
 
 import (
+	"crypto/rsa"
 	"testing"
 )
 
 func BenchmarkResignOmnija(b *testing.B) {
 	// initialize a system addon signer with an RSA key
 	testcase := validSignerConfigs[1]
 
-	s, err := New(testcase, nil)
+	s, err := New(testcase, rsa.GenerateKey, nil)
 	if err != nil {
 		b.Fatalf("signer initialization failed with: %v", err)
 	}

@@ -186,8 +186,8 @@ func TestMakeRecommendationFile(t *testing.T) {
 	t.Run("makes a recommendation file", func(t *testing.T) {
 		t.Parallel()
 
-		// initialize a signer
-		s, err := New(recTestCase, nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(recTestCase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("testcase signer initialization failed with: %v", err)
 		}
@@ -219,8 +219,8 @@ func TestMakeRecommendationFile(t *testing.T) {
 	t.Run("fails for signer not in rec mode", func(t *testing.T) {
 		t.Parallel()
 
-		// initialize a signer
-		s, err := New(validSignerConfigs[0], nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(validSignerConfigs[0], keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("testcase %d signer initialization failed with: %v", 0, err)
 		}
@@ -247,8 +247,8 @@ func TestMakeRecommendationFile(t *testing.T) {
 			t.Fatalf("failed to unmarshal testcase for signer %q", err)
 		}
 
-		// initialize a signer
-		s, err := New(dupRecTestCase, nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(dupRecTestCase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("testcase signer initialization failed with: %v", err)
 		}
@@ -271,8 +271,8 @@ func TestMakeRecommendationFile(t *testing.T) {
 	t.Run("fails for invalid recommendation validity not_before after not_after", func(t *testing.T) {
 		t.Parallel()
 
-		// initialize a signer
-		s, err := New(recTestCase, nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(recTestCase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("testcase signer initialization failed with: %v", err)
 		}
@@ -349,8 +349,8 @@ func TestRecommendationNotIncludedInOtherSignerModes(t *testing.T) {
 		t.Run(tcName, func(t *testing.T) {
 			t.Parallel()
 
-			// initialize a signer
-			s, err := New(tc, nil)
+			keyGen := newTestRSAKeyGen()
+			s, err := New(tc, keyGen.GenerateKey, nil)
 			if err != nil {
 				t.Fatalf("testcase %d signer initialization failed with: %v", i, err)
 			}
@@ -388,7 +388,8 @@ func TestSignFileWithRecommendation(t *testing.T) {
 	t.Run("signs unsignedbootstrap with PK7", func(t *testing.T) {
 		input := unsignedBootstrap
 
-		s, err := New(recTestCase, nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(recTestCase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("signer initialization failed with: %v", err)
 		}
@@ -420,7 +421,8 @@ func TestSignFileWithRecommendation(t *testing.T) {
 			t.Fatalf("failed to add issuer cert to pool")
 		}
 
-		s, err := New(recTestCase, nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(recTestCase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("signer initialization failed with: %v", err)
 		}
@@ -446,7 +448,8 @@ func TestSignFileWithRecommendation(t *testing.T) {
 	t.Run("signs unsignedbootstrap with PK7 fails for disallowed rec. state", func(t *testing.T) {
 		input := unsignedBootstrap
 
-		s, err := New(recTestCase, nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(recTestCase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("signer initialization failed with: %v", err)
 		}
@@ -463,7 +466,8 @@ func TestSignFileWithRecommendation(t *testing.T) {
 	t.Run("signs unsigned with rec PK7 and overwrites existing rec file", func(t *testing.T) {
 		input := unsignedBootstrap
 
-		s, err := New(recTestCase, nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(recTestCase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("signer initialization failed with: %v", err)
 		}

@@ -22,7 +22,7 @@ func (s *XPISigner) getRsaKey(size int) (*rsa.PrivateKey, error) {
 		start time.Time
 	)
 	start = time.Now()
-	key, err = rsa.GenerateKey(s.rand, size)
+	key, err = s.generateKey(s.rand, size)
 
 	if s.stats != nil {
 		s.stats.SendHistogram("xpi.rsa_cache.get_key", time.Since(start))

@@ -16,7 +16,8 @@ func TestMakeEndEntity(t *testing.T) {
 	// returns an initialized XPI signer
 	initSigner := func(t *testing.T, testcaseid int) *XPISigner {
 		testcase := validSignerConfigs[testcaseid]
-		s, err := New(testcase, nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(testcase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("signer initialization failed with: %v", err)
 		}
@@ -116,7 +117,8 @@ func TestGetIssuerRSAKeySize(t *testing.T) {
 	// returns an initialized XPI signer
 	initSigner := func(t *testing.T, testcaseid int) *XPISigner {
 		testcase := validSignerConfigs[testcaseid]
-		s, err := New(testcase, nil)
+		keyGen := newTestRSAKeyGen()
+		s, err := New(testcase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("signer initialization failed with: %v", err)
 		}
@@ -158,8 +160,10 @@ func TestGetIssuerRSAKeySize(t *testing.T) {
 func TestGetIssuerECDSACurve(t *testing.T) {
 	// returns an initialized XPI signer
 	initSigner := func(t *testing.T, testcaseid int) *XPISigner {
+		keyGen := newTestRSAKeyGen()
+
 		testcase := validSignerConfigs[testcaseid]
-		s, err := New(testcase, nil)
+		s, err := New(testcase, keyGen.GenerateKey, nil)
 		if err != nil {
 			t.Fatalf("signer initialization failed with: %v", err)
 		}

@@ -108,10 +108,14 @@ type XPISigner struct {
 	//      |                        |                     |
 	//   not_before          now / signing TS          not_after
 	recommendationValidityDuration time.Duration
+
+	// generateKey is passed in for testing purposes but is usually
+	// rsa.GenerateKey.
+	generateKey func(io.Reader, int) (*rsa.PrivateKey, error)
 }
 
 // New initializes an XPI signer using a configuration
-func New(conf signer.Configuration, stats *signer.StatsClient) (s *XPISigner, err error) {
+func New(conf signer.Configuration, genKey func(io.Reader, int) (*rsa.PrivateKey, error), stats *signer.StatsClient) (s *XPISigner, err error) {
 	// TODO(AUT-160): instead of doing nil checks for stats all over XPISigner,
 	// we could just check it here once or provide a null object version of it for tests.
 	s = new(XPISigner)
@@ -129,6 +133,8 @@ func New(conf signer.Configuration, stats *signer.StatsClient) (s *XPISigner, er
 	s.PrivateKey = conf.PrivateKey
 
 	s.rand = conf.GetRand()
+	s.generateKey = genKey
+
 	s.issuerKey, s.issuerPublicKey, s.PublicKey, err = conf.GetKeys()
 	if err != nil {
 		return nil, fmt.Errorf("xpi: GetKeys failed to retrieve signer: %w", err)