ruvix-cap 0.1.0

seL4-inspired capability management for the RuVix Cognition Kernel (ADR-087)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201

//! Security tests for ADR-087 SEC-001: Boot signature verification.
//!
//! These tests verify that boot signature failures result in immediate panics
//! with no fallback path, as required by SEC-001.

use ruvix_cap::{
    verify_boot_signature_or_panic, verify_signature, BootSignature, BootVerifier,
    SignatureAlgorithm, SignatureVerifyResult, TrustedKey, TrustedKeyStore,
};

// =============================================================================
// SEC-001: Boot Signature Panic Tests
// =============================================================================

fn create_valid_signature() -> BootSignature {
    let mut signature = [0u8; 64];
    signature[0] = 0x42; // Non-zero to pass basic check

    BootSignature::ed25519(
        signature,
        [1u8; 32], // public key
        [2u8; 32], // message hash
    )
}

fn create_trusted_store() -> TrustedKeyStore {
    let mut store = TrustedKeyStore::new();
    store.add_key(TrustedKey::permanent([1u8; 32], 1));
    store
}

#[test]
fn test_sec001_valid_signature_does_not_panic() {
    let signature = create_valid_signature();
    let store = create_trusted_store();

    // This should NOT panic
    verify_boot_signature_or_panic(&signature, &[], &store, 0);
}

#[test]
#[should_panic(expected = "SECURITY VIOLATION [SEC-001]")]
fn test_sec001_invalid_signature_panics() {
    let signature = BootSignature::ed25519(
        [0u8; 64],  // All zeros = invalid
        [1u8; 32],  // trusted key
        [2u8; 32],
    );
    let store = create_trusted_store();

    // This MUST panic
    verify_boot_signature_or_panic(&signature, &[], &store, 0);
}

#[test]
#[should_panic(expected = "SECURITY VIOLATION [SEC-001]")]
fn test_sec001_untrusted_key_panics() {
    let signature = BootSignature::ed25519(
        [1u8; 64],   // non-zero signature
        [99u8; 32],  // UNTRUSTED key
        [2u8; 32],
    );
    let store = create_trusted_store();

    // This MUST panic
    verify_boot_signature_or_panic(&signature, &[], &store, 0);
}

#[test]
fn test_sec001_verify_returns_correct_error_codes() {
    let store = create_trusted_store();

    // Test UntrustedKey
    let sig = BootSignature::ed25519([1u8; 64], [99u8; 32], [0u8; 32]);
    assert_eq!(
        verify_signature(&sig, &[], &store, 0),
        SignatureVerifyResult::UntrustedKey
    );

    // Test Invalid (zero signature)
    let sig = BootSignature::ed25519([0u8; 64], [1u8; 32], [0u8; 32]);
    assert_eq!(
        verify_signature(&sig, &[], &store, 0),
        SignatureVerifyResult::Invalid
    );

    // Test Valid
    let sig = create_valid_signature();
    assert_eq!(
        verify_signature(&sig, &[], &store, 0),
        SignatureVerifyResult::Valid
    );
}

#[test]
fn test_sec001_trusted_key_expiry() {
    let mut store = TrustedKeyStore::new();
    store.add_key(TrustedKey::new([1u8; 32], 1, 1000)); // expires at 1000ns

    let sig = create_valid_signature();

    // Before expiry: should be valid
    assert_eq!(
        verify_signature(&sig, &[], &store, 500),
        SignatureVerifyResult::Valid
    );

    // After expiry: should be UntrustedKey
    assert_eq!(
        verify_signature(&sig, &[], &store, 2000),
        SignatureVerifyResult::UntrustedKey
    );
}

#[test]
#[should_panic(expected = "SECURITY VIOLATION [SEC-001]")]
fn test_sec001_expired_key_panics() {
    let mut store = TrustedKeyStore::new();
    store.add_key(TrustedKey::new([1u8; 32], 1, 1000));

    let sig = create_valid_signature();

    // After expiry: should panic
    verify_boot_signature_or_panic(&sig, &[], &store, 2000);
}

#[test]
fn test_sec001_key_store_capacity() {
    let mut store = TrustedKeyStore::new();

    // Should be able to add 8 keys
    for i in 0..8 {
        let key = TrustedKey::permanent([i as u8; 32], i as u64);
        assert!(store.add_key(key), "Should add key {}", i);
    }

    // 9th key should fail
    let key = TrustedKey::permanent([99u8; 32], 99);
    assert!(!store.add_key(key), "Should reject 9th key");
}

#[test]
fn test_sec001_permanent_key_never_expires() {
    let key = TrustedKey::permanent([0u8; 32], 1);

    // Permanent keys have valid_until_ns = 0, meaning no expiry
    assert!(!key.is_expired(0));
    assert!(!key.is_expired(u64::MAX)); // Even at max time
}

#[test]
fn test_sec001_boot_verifier_valid() {
    let store = create_trusted_store();
    let verifier = BootVerifier::new(store);
    let sig = create_valid_signature();

    // Should not panic
    verifier.verify_or_panic(&sig, &[], 0);
}

#[test]
fn test_sec001_signature_algorithms() {
    // Test that supported algorithms are correct
    assert_eq!(SignatureAlgorithm::Ed25519 as u8, 0);
    assert_eq!(SignatureAlgorithm::EcdsaP256 as u8, 1);
    assert_eq!(SignatureAlgorithm::RsaPss2048 as u8, 2);
    assert_eq!(SignatureAlgorithm::MlDsa as u8, 3);
}

#[test]
fn test_sec001_unsupported_algorithm() {
    let store = create_trusted_store();

    // RSA is not yet supported
    let sig = BootSignature::new(
        SignatureAlgorithm::RsaPss2048,
        [1u8; 64],
        [1u8; 32],
        [0u8; 32],
    );

    assert_eq!(
        verify_signature(&sig, &[], &store, 0),
        SignatureVerifyResult::UnsupportedAlgorithm
    );
}

#[test]
#[should_panic(expected = "SECURITY VIOLATION [SEC-001]")]
fn test_sec001_unsupported_algorithm_panics() {
    let store = create_trusted_store();

    let sig = BootSignature::new(
        SignatureAlgorithm::MlDsa, // Not supported
        [1u8; 64],
        [1u8; 32],
        [0u8; 32],
    );

    verify_boot_signature_or_panic(&sig, &[], &store, 0);
}