tests/test_attestation.py
| 1 | """Tests for DeviceAttester + DeviceAttestation.""" |
| 2 | |
| 3 | from __future__ import annotations |
| 4 | |
| 5 | import pytest |
| 6 | |
| 7 | from pqc_enclave_sdk import ( |
| 8 | AttestationError, |
| 9 | DeviceAttester, |
| 10 | ) |
| 11 | |
| 12 | |
| 13 | def test_attest_sets_signer_did_algorithm_signature(signer_identity) -> None: |
| 14 | attester = DeviceAttester( |
| 15 | identity=signer_identity, |
| 16 | device_id="iphone-1", |
| 17 | device_model="iphone-15-pro", |
| 18 | enclave_vendor="apple-se", |
| 19 | ) |
| 20 | att = attester.attest( |
| 21 | artifact_id="urn:pqc-enclave-art:abc", |
| 22 | content_hash="cafebabe", |
| 23 | ) |
| 24 | assert att.signer_did == signer_identity.did |
| 25 | assert att.algorithm == signer_identity.signing_keypair.algorithm.value |
| 26 | assert att.signature |
| 27 | assert att.public_key |
| 28 | |
| 29 | |
| 30 | def test_verify_valid_attestation(signer_identity) -> None: |
| 31 | attester = DeviceAttester( |
| 32 | identity=signer_identity, |
| 33 | device_id="pixel-8", |
| 34 | device_model="pixel-8", |
| 35 | enclave_vendor="android-strongbox", |
| 36 | ) |
| 37 | att = attester.attest( |
| 38 | artifact_id="urn:pqc-enclave-art:def", |
| 39 | content_hash="deadbeef", |
| 40 | ) |
| 41 | assert DeviceAttester.verify(att) is True |
| 42 | |
| 43 | |
| 44 | def test_tamper_signature_detected(signer_identity) -> None: |
| 45 | attester = DeviceAttester( |
| 46 | identity=signer_identity, |
| 47 | device_id="d", |
| 48 | device_model="m", |
| 49 | enclave_vendor="in-memory", |
| 50 | ) |
| 51 | att = attester.attest( |
| 52 | artifact_id="urn:pqc-enclave-art:tamper", |
| 53 | content_hash="1234", |
| 54 | ) |
| 55 | # Flip a hex nibble in the signature. |
| 56 | tampered = bytearray.fromhex(att.signature) |
| 57 | tampered[0] ^= 0x01 |
| 58 | att.signature = tampered.hex() |
| 59 | assert DeviceAttester.verify(att) is False |
| 60 | |
| 61 | |
| 62 | def test_verify_or_raise_raises_on_invalid(signer_identity) -> None: |
| 63 | attester = DeviceAttester( |
| 64 | identity=signer_identity, |
| 65 | device_id="d", |
| 66 | device_model="m", |
| 67 | enclave_vendor="in-memory", |
| 68 | ) |
| 69 | att = attester.attest( |
| 70 | artifact_id="urn:pqc-enclave-art:invalid", |
| 71 | content_hash="5678", |
| 72 | ) |
| 73 | # Replace the signature with all-zeros of the same length - invalid bytes |
| 74 | # but a valid hex shape so verify() returns False rather than raising. |
| 75 | att.signature = "00" * (len(att.signature) // 2) |
| 76 | with pytest.raises(AttestationError): |
| 77 | DeviceAttester.verify_or_raise(att) |
| 78 | |