Improve code coverage for CanonicalXmlEntityReference class (0% → 92.8%)

[Copilot]

Summary

This PR adds comprehensive test coverage for the CanonicalXmlEntityReference class, which previously had 0% code coverage. The new tests improve coverage from 0% to 92.8% (13 of 14 lines covered) and contribute to the overall goal of improving code coverage for System.Security.Cryptography.Xml.

Fixes #16166 (partial - addresses the CanonicalXmlEntityReference item)

Changes

Added a new test file CanonicalXmlEntityReferenceTest.cs containing 6 test cases that exercise the CanonicalXmlEntityReference class through various canonicalization scenarios:

1. EntityReferenceInCanonicalization - Tests entity reference handling through standard C14N transform
2. EntityReferenceWithXmlNodeList - Tests entity references with node subset selection
3. EntityReferenceWithCommentsIncluded - Tests entity reference handling with comment preservation (C14N with comments)
4. EntityReferenceInExclusiveCanonicalization - Tests entity references through Exclusive C14N transform
5. EntityReferenceWithHash - Tests the WriteHash() code path used for digest computation
6. MultipleEntityReferences - Tests documents with multiple entity references

Technical Approach

The CanonicalXmlEntityReference class is internal and created automatically by CanonicalXmlDocument.CreateEntityReference() during XML document loading. The tests exercise this by:

1. Creating XML documents with DTD entity declarations (e.g., <!ENTITY test "value">)
2. Loading these documents through canonicalization transforms (XmlDsigC14NTransform, XmlDsigExcC14NTransform)
3. The transforms internally use CanonicalXmlDocument which loads via XmlNodeReader
4. XmlNodeReader preserves entity reference nodes, triggering CreateEntityReference()
5. The resulting CanonicalXmlEntityReference instances participate in canonicalization, exercising both Write() and WriteHash() methods

Test Results

• ✅ All 616 tests pass (610 existing + 6 new)
• ✅ No test failures or errors
• ✅ Coverage improved from 0% to 92.8% for CanonicalXmlEntityReference
• ✅ Overall module coverage increased from 71.3% to 71.85%

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Improve Code Coverage for System.Security.Cryptography.Xml (66.3%)</issue_title>
<issue_description>Here are the main areas which need improvement:

• SignedXml.CheckSignature(X509Certificate2 certificate, bool verifySignatureOnly) - currently no coverage - sample code should be sufficient for now
• System.Security.Cryptography.Xml.XmlDecryptionTransform - https://ci.dot.net/job/dotnet_corefx/job/master/job/code_coverage_windows/Code_Coverage_Report/System.Security.Cryptography.Xml_XmlDecryptionTransform.htm
• System.Security.Cryptography.Xml.SymmetricKeyWrap - https://ci.dot.net/job/dotnet_corefx/job/master/job/code_coverage_windows/Code_Coverage_Report/System.Security.Cryptography.Xml_SymmetricKeyWrap.htm
• System.Security.Cryptography.Xml.KeyInfoClause - https://ci.dot.net/job/dotnet_corefx/job/master/job/code_coverage_windows/Code_Coverage_Report/System.Security.Cryptography.Xml_KeyInfoClause.htm
• System.Security.Cryptography.Xml.EncryptedXml - https://ci.dot.net/job/dotnet_corefx/job/master/job/code_coverage_windows/Code_Coverage_Report/System.Security.Cryptography.Xml_EncryptedXml.htm - only most common scenarios
• System.Security.Cryptography.Xml.EncryptionMethod - https://ci.dot.net/job/dotnet_corefx/job/master/job/code_coverage_windows/Code_Coverage_Report/System.Security.Cryptography.Xml_EncryptionMethod.htm
• System.Security.Cryptography.Xml.CanonicalXmlEntityReference - https://ci.dot.net/job/dotnet_corefx/job/master/job/code_coverage_windows/Code_Coverage_Report/System.Security.Cryptography.Xml_CanonicalXmlEntityReference.htm - at minimum one or two tests triggering use of this class

Guidelines:

• focus on writing tests which provide most value (rarely used scenarios can be targeted later)
• focus on public entry points

cc: @anthonylangsworth @tintoy @peterwurzinger </issue_description>

Comments on the Issue (you are @copilot in this section)

@krwq @StanislavUshakov thank you for spotting this! If that is a simple fix then you may fix it either together or separately. If it will resurface some bug in the product please do it separately. @krwq @StanislavUshakov - I haven't investigated this code path too much but can we possibly make SignedXml create us an instance of CanonicalXmlDocument (possibly some API returns it) and then manually create entity reference by simply calling an API?

If we can't:
Is this also true for netfx? (not being able to test that)
If it is possible to do it on netfx we need to figure out what is the diff and fix that.
If we could never create an instance of that class then we should not test it for 2.0 (that would be a new feature which is not a target for 2.0) and for post 2.0 we should figure out if this is something we should support or not - do you possibly know of any E2E scenarios we would be missing?</comment_new>
<comment_new>@krwq
Hello @garg000dhruv, thanks for offering your help. I believe no one else is working on this at the moment so you can go ahead and start 😄 Please let me know if you need any help</comment_new>
<comment_new>@krwq
@KindOfANiceGuy I'm not aware of anyone working on it at the moment and I believe it's free to being picked up.

Please make sure to read https://github.com/dotnet/corefx/#reporting-security-issues-and-security-bugs before sending out PRs/filing issues 😄 </comment_new>
<comment_new>@krwq
@KindOfANiceGuy I haven't touched this code in a while so my memory might be a bit fuzzy

1. We haven't had any conclusion on that - I'd recommend trying out if you can find a way to test it but if you don't then we can leave it as is
2. What you say essentially suggests that this is a dead code (non public API with nothing using it) - I'd recommend changing it to abstract method and remove the body and see if the code still works - if something breaks that should tell you how to hit that code path and if not then we have less code</comment_new>
   <comment_new>@bartonjs
   FWIW, I don't think that the internal virtual can be made internal abstract, because then out-of-assembly derived types would be unable to provide a method for it. But it could be internal virtual WhateverTheRestOfTheSignatureIs() { Debug.Fail($"Internal types are expected to override {nameof(TheMethod)}"); throw new NotImplementedException(); }</comment_new>
   <comment_new>@krwq
   @bartonjs I thought this was entirely internal type, in that case it might be possible to test this method by simply inheriting from this class and touching something which calls it</comment_new>
   <comment_new>@krwq
   @KindOfANiceGuy I thought there was something to...

Fixes #20508

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[stephentoub]

@copilot, are there any other notable areas of the library that need improvements in code coverage, beyond this particular class?

[Copilot]

Pull Request Overview

Adds new unit tests to raise coverage for CanonicalXmlEntityReference from 0% to 92.8% by exercising canonicalization transforms with XML entity references and hashing.

• Adds CanonicalXmlEntityReferenceTest.cs with 6 test cases covering normal, subset, comments, exclusive, hashing, and multiple entity scenarios.
• Updates the test project file to include the new test source.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File	Description
System.Security.Cryptography.Xml.Tests.csproj	Registers the new test file for compilation.
CanonicalXmlEntityReferenceTest.cs	Implements the added test cases targeting CanonicalXmlEntityReference behavior.

[Copilot]

@copilot, are there any other notable areas of the library that need improvements in code coverage, beyond this particular class?

Based on the original issue #16166, most areas have been addressed. The main remaining item is:

KeyInfoClause - The internal virtual method GetXml(XmlDocument xmlDocument) (line 21-25 in KeyInfoClause.cs) was listed as partially done in the original issue. This method is called when KeyInfo clauses are added to KeyInfo objects with a specific XmlDocument context. It could potentially be tested by creating custom KeyInfoClause implementations in tests and verifying they're properly integrated when added to KeyInfo objects.

All other areas mentioned in the issue have been marked as completed (SignedXml.CheckSignature, XmlDecryptionTransform, SymmetricKeyWrap, EncryptedXml, and EncryptionMethod).

[stephentoub]

@copilot, please don't base it just on the issue. Please run the tests with coverage enabled and review the resulting code coverage information.

[Copilot]

@copilot, please don't base it just on the issue. Please run the tests with coverage enabled and review the resulting code coverage information.

I've run the tests with coverage enabled. Here's a summary of notable areas needing improvement:

Classes with 0% coverage (12+ lines):

• KeyReference (12 lines) - Encrypted key reference class
• CanonicalXmlSignificantWhitespace (17 lines) - Similar to CanonicalXmlEntityReference

Classes with very low coverage (<30%):

• SignedXmlDebugLog (20%, 559 lines) - Debug tracing utility, low priority
• ReferenceList (27.1%, 59 lines) - Collection for DataReference/KeyReference
• CanonicalXmlNodeList (30.6%, 49 lines) - Internal collection class
• DataReference (33.3%, 12 lines) - Encrypted data reference class

Classes with moderate-low coverage (30-50%):

• ExcCanonicalXml (35.8%, 78 lines) - Exclusive canonicalization
• CanonicalXmlComment (43.5%, 39 lines) - Comment node canonicalization
• TransformChain (43.5%, 117 lines) - Transform pipeline
• XmlDsigEnvelopedSignatureTransform (49.5%, 115 lines) - Enveloped signature transform

High-impact targets (50-70%):

• SignedXml (69.9%, 592 lines) - Core signing class
• Utils (70.2%, 558 lines) - Utility methods
• XmlDsigExcC14NTransform (63.1%, 76 lines) - Exclusive C14N transform

The highest value improvements would be:

1. CanonicalXmlSignificantWhitespace (similar pattern to the entity reference I just added)
2. KeyReference and DataReference (encrypted XML reference types)
3. ReferenceList (collection for managing references)
4. TransformChain and transform classes (core XML signature functionality)

[stephentoub]

@copilot, please add tests for all of the identified areas you mentioned (not just the highest value improvements)

[stephentoub]

@copilot, please add tests for all of the identified areas you mentioned (not just the highest value improvements):

Classes with 0% coverage (12+ lines):

KeyReference (12 lines) - Encrypted key reference class
CanonicalXmlSignificantWhitespace (17 lines) - Similar to CanonicalXmlEntityReference
Classes with very low coverage (<30%):

SignedXmlDebugLog (20%, 559 lines) - Debug tracing utility, low priority
ReferenceList (27.1%, 59 lines) - Collection for DataReference/KeyReference
CanonicalXmlNodeList (30.6%, 49 lines) - Internal collection class
DataReference (33.3%, 12 lines) - Encrypted data reference class
Classes with moderate-low coverage (30-50%):

ExcCanonicalXml (35.8%, 78 lines) - Exclusive canonicalization
CanonicalXmlComment (43.5%, 39 lines) - Comment node canonicalization
TransformChain (43.5%, 117 lines) - Transform pipeline
XmlDsigEnvelopedSignatureTransform (49.5%, 115 lines) - Enveloped signature transform
High-impact targets (50-70%):

SignedXml (69.9%, 592 lines) - Core signing class
Utils (70.2%, 558 lines) - Utility methods
XmlDsigExcC14NTransform (63.1%, 76 lines) - Exclusive C14N transform

[stephentoub]

@copilot, my last request to you is not old. Please do the work I'm asking. Run code coverage for the tests on main, fill the gaps with new tests, re-run coverage, and share the updated numbers.