From e56af9fa7966d33e5521fe82e08298595e179786 Mon Sep 17 00:00:00 2001
From: Praneeth Sarode <praneethsarode@gmail.com>
Date: Thu, 23 Oct 2025 22:19:20 +0530
Subject: [PATCH] feat(torture_sk): add validation functions for security key
 callback responses and resident keys

Signed-off-by: Praneeth Sarode <praneethsarode@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
---
 tests/torture_sk.c | 70 +++++++++++++++++++++++++++++++++++++++++++++-
 tests/torture_sk.h | 48 +++++++++++++++++++++++++++++--
 2 files changed, 114 insertions(+), 4 deletions(-)

diff --git a/tests/torture_sk.c b/tests/torture_sk.c
index 1191d126..724f9272 100644
--- a/tests/torture_sk.c
+++ b/tests/torture_sk.c
@@ -25,7 +25,6 @@
 #include "libssh/pki.h"
 #include "libssh/sk_api.h" /* For SSH_SK_* flag definitions */
 
-/* Helper function to validate ssh_key structure for security keys */
 void assert_sk_key_valid(ssh_key key,
                          enum ssh_keytypes_e expected_type,
                          bool private)
@@ -101,6 +100,75 @@ void assert_sk_key_valid(ssh_key key,
     }
 }
 
+void assert_sk_enroll_response(struct sk_enroll_response *response, int flags)
+{
+    assert_non_null(response);
+
+    assert_non_null(response->public_key);
+    assert_true(response->public_key_len > 0);
+
+    assert_non_null(response->key_handle);
+    assert_true(response->key_handle_len > 0);
+
+    assert_non_null(response->signature);
+    assert_true(response->signature_len > 0);
+
+    /*
+     * This check might fail for some authenticators, as returning an
+     * attestation certificate as part of the attestation statement is not
+     * mandated by the FIDO2 standard.
+     */
+    assert_non_null(response->attestation_cert);
+    assert_true(response->attestation_cert_len > 0);
+
+    assert_non_null(response->authdata);
+    assert_true(response->authdata_len > 0);
+
+    assert_int_equal(response->flags, flags);
+}
+
+void assert_sk_sign_response(struct sk_sign_response *response,
+                             enum ssh_keytypes_e key_type)
+{
+    assert_non_null(response);
+
+    assert_non_null(response->sig_r);
+    assert_true(response->sig_r_len > 0);
+
+    /* sig_s is NULL for Ed25519, present for ECDSA */
+    switch (key_type) {
+    case SSH_SK_ECDSA:
+        assert_non_null(response->sig_s);
+        assert_true(response->sig_s_len > 0);
+        break;
+    case SSH_SK_ED25519:
+        assert_null(response->sig_s);
+        assert_int_equal(response->sig_s_len, 0);
+        break;
+    default:
+        /* Should not reach here */
+        assert_true(0);
+        break;
+    }
+}
+
+void assert_sk_resident_key(struct sk_resident_key *resident_key)
+{
+    assert_non_null(resident_key);
+
+    assert_non_null(resident_key->application);
+    assert_true(strlen(resident_key->application) > 0);
+
+    assert_non_null(resident_key->user_id);
+    assert_true(resident_key->user_id_len > 0);
+
+    assert_non_null(resident_key->key.public_key);
+    assert_true(resident_key->key.public_key_len > 0);
+
+    assert_non_null(resident_key->key.key_handle);
+    assert_true(resident_key->key.key_handle_len > 0);
+}
+
 const char *torture_get_sk_pin(void)
 {
     const char *pin = getenv("TORTURE_SK_PIN");
diff --git a/tests/torture_sk.h b/tests/torture_sk.h
index 467767fb..25e37d71 100644
--- a/tests/torture_sk.h
+++ b/tests/torture_sk.h
@@ -28,14 +28,56 @@
 
 #define LIBSSH_STATIC
 
-#include <stdbool.h>
-
 #include "torture.h"
-#include "torture_pki.h"
 
+/**
+ * @brief Validate a security key (ssh_key) structure
+ *
+ * Checks that the provided key is not NULL, matches the expected key type,
+ * and other internal fields.
+ *
+ * @param[in] key           The key to validate
+ * @param[in] expected_type The expected key type (e.g., SSH_KEYTYPE_SK_ECDSA)
+ * @param[in] private       true if key should be private, false for public
+ */
 void assert_sk_key_valid(ssh_key key,
                          enum ssh_keytypes_e expected_type,
                          bool private);
+
+/**
+ * @brief Validate a security key enrollment response structure
+ *
+ * Validates that an sk_enroll_response contains valid data from a FIDO2
+ * enrollment operation, including public key, key handle, signature,
+ * attestation certificate, and authenticator data.
+ *
+ * @param[in] response The enrollment response to validate
+ * @param[in] flags    The expected flags that should match the response flags
+ */
+void assert_sk_enroll_response(struct sk_enroll_response *response, int flags);
+
+/**
+ * @brief Validate a security key sign response structure
+ *
+ * Validates that an sk_sign_response contains valid signature data from
+ * a FIDO2 sign operation.
+ *
+ * @param[in] response The sign response to validate
+ * @param[in] key_type The key type (e.g., SSH_SK_ECDSA, SSH_SK_ED25519)
+ */
+void assert_sk_sign_response(struct sk_sign_response *response,
+                             enum ssh_keytypes_e key_type);
+
+/**
+ * @brief Validate a security key resident key structure
+ *
+ * Validates that an sk_resident_key contains valid data including application
+ * identifier, user ID, public key, and key handle.
+ *
+ * @param[in] resident_key The resident key to validate
+ */
+void assert_sk_resident_key(struct sk_resident_key *resident_key);
+
 /**
  * @brief Get security key PIN from environment variable
  *