tests/test_driver_attest.py
| 1 | """Tests for DriverAttester / DriverAttestationVerifier.""" |
| 2 | |
| 3 | from __future__ import annotations |
| 4 | |
| 5 | import pytest |
| 6 | from quantumshield.identity.agent import AgentIdentity |
| 7 | |
| 8 | from pqc_gpu_driver import ( |
| 9 | DriverAttestationError, |
| 10 | DriverAttestationVerifier, |
| 11 | DriverAttester, |
| 12 | DriverModule, |
| 13 | ) |
| 14 | |
| 15 | |
| 16 | def test_attest_populates_signature_fields( |
| 17 | attester: DriverAttester, sample_module: DriverModule |
| 18 | ) -> None: |
| 19 | att = attester.attest(sample_module) |
| 20 | assert att.module == sample_module |
| 21 | assert att.signer_did == attester.identity.did |
| 22 | assert att.algorithm == attester.identity.signing_keypair.algorithm.value |
| 23 | assert att.signature and len(att.signature) > 0 |
| 24 | assert att.public_key and len(att.public_key) > 0 |
| 25 | assert att.signed_at.endswith("+00:00") |
| 26 | |
| 27 | |
| 28 | def test_verify_valid_attestation( |
| 29 | attester: DriverAttester, |
| 30 | sample_module: DriverModule, |
| 31 | sample_module_bytes: bytes, |
| 32 | ) -> None: |
| 33 | att = attester.attest(sample_module) |
| 34 | verifier = DriverAttestationVerifier() |
| 35 | result = verifier.verify(att, actual_module_bytes=sample_module_bytes) |
| 36 | assert result.valid is True |
| 37 | assert result.error is None |
| 38 | assert result.signer_did == attester.identity.did |
| 39 | |
| 40 | |
| 41 | def test_verify_detects_hash_tamper( |
| 42 | attester: DriverAttester, sample_module: DriverModule |
| 43 | ) -> None: |
| 44 | att = attester.attest(sample_module) |
| 45 | verifier = DriverAttestationVerifier() |
| 46 | # Pass DIFFERENT bytes than what was attested - verifier must reject. |
| 47 | result = verifier.verify(att, actual_module_bytes=b"totally different bytes") |
| 48 | assert result.valid is False |
| 49 | assert "module hash mismatch" in (result.error or "") |
| 50 | |
| 51 | |
| 52 | def test_trusted_signers_allowlist_filters_untrusted( |
| 53 | trusted_identity: AgentIdentity, |
| 54 | untrusted_identity: AgentIdentity, |
| 55 | sample_module: DriverModule, |
| 56 | ) -> None: |
| 57 | trusted_att = DriverAttester(trusted_identity).attest(sample_module) |
| 58 | untrusted_att = DriverAttester(untrusted_identity).attest(sample_module) |
| 59 | |
| 60 | verifier = DriverAttestationVerifier(trusted_signers={trusted_identity.did}) |
| 61 | |
| 62 | good = verifier.verify(trusted_att) |
| 63 | assert good.valid is True |
| 64 | assert good.trusted is True |
| 65 | |
| 66 | bad = verifier.verify(untrusted_att) |
| 67 | assert bad.valid is False |
| 68 | assert bad.trusted is False |
| 69 | assert "not in trusted set" in (bad.error or "") |
| 70 | |
| 71 | |
| 72 | def test_signature_tamper_detected( |
| 73 | attester: DriverAttester, sample_module: DriverModule |
| 74 | ) -> None: |
| 75 | att = attester.attest(sample_module) |
| 76 | # Flip one hex nibble in the signature. |
| 77 | att.signature = ("0" if att.signature[0] != "0" else "1") + att.signature[1:] |
| 78 | verifier = DriverAttestationVerifier() |
| 79 | result = verifier.verify(att) |
| 80 | assert result.valid is False |
| 81 | assert result.error is not None |
| 82 | |
| 83 | |
| 84 | def test_missing_signature_rejected(sample_module: DriverModule) -> None: |
| 85 | from pqc_gpu_driver import DriverAttestation |
| 86 | |
| 87 | att = DriverAttestation(module=sample_module) |
| 88 | verifier = DriverAttestationVerifier() |
| 89 | result = verifier.verify(att) |
| 90 | assert result.valid is False |
| 91 | assert "missing signature fields" in (result.error or "") |
| 92 | |
| 93 | |
| 94 | def test_verify_or_raise_raises_on_invalid( |
| 95 | attester: DriverAttester, sample_module: DriverModule |
| 96 | ) -> None: |
| 97 | att = attester.attest(sample_module) |
| 98 | att.signature = "" # invalidate |
| 99 | verifier = DriverAttestationVerifier() |
| 100 | with pytest.raises(DriverAttestationError): |
| 101 | verifier.verify_or_raise(att) |
| 102 | |