more fine-grained switch for disabling lifetime validation

.github/workflows/tests.yml

@@ -49,6 +49,7 @@ jobs:
         run: |
           cargo install wasm-bindgen-cli
           cargo test $TEST_MODE -p openmls -vv -F libcrux-provider
+          cargo test $TEST_MODE -p openmls -vv -F libcrux-provider -F test-skip-lifetime-validity-check passive_client
 
       - name: Tests Wasm32 on linux
         if: matrix.os == 'ubuntu-latest'
@@ -57,22 +58,27 @@ jobs:
           cargo install wasm-bindgen-cli
           export CARGO_TARGET_WASM32_UNKNOWN_UNKNOWN_RUNNER=$HOME/.cargo/bin/wasm-bindgen-test-runner
           cargo test $TEST_MODE -p openmls -vv --target wasm32-unknown-unknown -F js
+          cargo test $TEST_MODE -p openmls -vv --target wasm32-unknown-unknown -F js -F test-skip-lifetime-validity-check passive_client
 
       - name: Tests
         if: matrix.os != 'windows-latest'
         run: cargo test $TEST_MODE -p openmls --verbose
+        run: cargo test $TEST_MODE -p openmls --verbose -F test-skip-lifetime-validity-check passive_client
 
       # Test 32 bit builds on windows
       - name: Tests 32bit windows debug
         if: matrix.mode == 'debug' && matrix.os == 'windows-latest'
         run: cargo test -p openmls --verbose --target i686-pc-windows-msvc
+        run: cargo test -p openmls --verbose --target i686-pc-windows-msvc -F test-skip-lifetime-validity-check passive_client
       - name: Tests 32bit windows release
         if: matrix.mode == 'release' && matrix.os == 'windows-latest'
         run: cargo test --release -p openmls --verbose --target i686-pc-windows-msvc
+        run: cargo test --release -p openmls --verbose --target i686-pc-windows-msvc -F test-skip-lifetime-validity-check passive_client
 
         # Test 32 bit builds on linux
       - name: Tests 32bit linux
         if: matrix.os == 'ubuntu-latest'
         run: |
           sudo apt update && sudo apt install gcc-multilib
           cargo test $TEST_MODE -p openmls --verbose --target i686-unknown-linux-gnu
+          cargo test $TEST_MODE -p openmls --verbose --target i686-unknown-linux-gnu -F test-skip-lifetime-validity-check passive_client

openmls/Cargo.toml

@@ -53,6 +53,8 @@ test-utils = [
   "dep:once_cell",
   "backtrace",
 ]
+test-skip-lifetime-validity-check = [
+] # Skip the check whether a lifetime is valid. Needed for KATs with since-expired key packages.
 backtrace = ["dep:backtrace"]
 libcrux-provider = [
   "dep:openmls_libcrux_crypto",

openmls/src/group/mls_group/tests_and_kats/kats/mod.rs

@@ -1,2 +1,3 @@
+#[cfg(feature = "test-skip-lifetime-validity-check")]
 mod passive_client;
 mod welcome;

openmls/src/group/public_group/validation.rs

@@ -29,7 +29,7 @@ use crate::{
     schedule::errors::PskError,
 };
 
-#[cfg(not(test))]
+#[cfg(not(feature = "test-skip-lifetime-validity-check"))]
 use crate::treesync::errors::LifetimeError;
 
 impl PublicGroup {
@@ -622,12 +622,16 @@ impl PublicGroup {
         // valn0105 is done when sending
 
         // valn0106
-        // don't enable in tests, because we are testing with kats that contain
-        // expired key packages
-        #[cfg(not(test))]
+        //
+        // Only leaf nodes in key packages contain lifetimes, so this will return None for other
+        // cases. Therefore we only check the lifetimes for leaf nodes in key packages.
+        //
+        // Some KATs use key packages that are expired by now. In order to run these tests, we
+        // provide a way to turn off this check.
+        #[cfg(not(feature = "test-skip-lifetime-validity-check"))]
         if let Some(lifetime) = leaf_node.life_time() {
             if !lifetime.is_valid() {
-                println!("offending lifetime: {lifetime:?}");
+                log::warn!("offending lifetime: {lifetime:?}");
                 return Err(LeafNodeValidationError::Lifetime(LifetimeError::NotCurrent));
             }
         }