1 // Copyright 2020 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not 4 // use this file except in compliance with the License. You may obtain a copy of 5 // the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 // License for the specific language governing permissions and limitations under 13 // the License. 14 15 #include <stddef.h> 16 #include <stdint.h> 17 18 #include "dice/dice.h" 19 20 namespace dice { 21 namespace test { 22 23 constexpr size_t kTestCertSize = 2048; 24 25 enum CertificateType { 26 CertificateType_X509, 27 CertificateType_Cbor, 28 }; 29 30 enum KeyType { 31 KeyType_Ed25519, 32 KeyType_P256, 33 KeyType_P384, 34 }; 35 36 struct DiceStateForTest { 37 uint8_t cdi_attest[DICE_CDI_SIZE]; 38 uint8_t cdi_seal[DICE_CDI_SIZE]; 39 uint8_t certificate[kTestCertSize]; 40 size_t certificate_size; 41 }; 42 43 // Dumps |state| to a set of files in the current directory with the given 44 // |suffix|. 45 void DumpState(CertificateType cert_type, KeyType key_type, const char* suffix, 46 const DiceStateForTest& state); 47 48 // Deterministically derives |length| bytes from |seed|. 49 void DeriveFakeInputValue(const char* seed, size_t length, uint8_t* output); 50 51 // Generates a self-signed X.509 UDS certificate for the given |uds| value. The 52 // signature scheme is ED25519-SHA512. 53 void CreateFakeUdsCertificate(void* context, const uint8_t uds[32], 54 CertificateType cert_type, KeyType key_type, 55 uint8_t certificate[kTestCertSize], 56 size_t* certificate_size); 57 58 // Verifies a chain of CDI certificates given by |states| against 59 // |root_certificate|. If |is_partial_chain| is set, then root_certificate does 60 // not need to be self signed. For X.509 certificate chains, only the standard 61 // certificate fields and extensions are checked, other custom extensions are 62 // ignored even if marked critical. For this reason, additional tests are needed 63 // to fully verify a certificate chain, this is just useful for checking that a 64 // chain is correctly constructed in terms of standard fields. Similarly for 65 // CBOR certificate chains the chaining construction is verified but the content 66 // of other fields is ignored. 67 bool VerifyCertificateChain(CertificateType cert_type, 68 const uint8_t* root_certificate, 69 size_t root_certificate_size, 70 const DiceStateForTest states[], 71 size_t num_dice_states, bool is_partial_chain); 72 73 } // namespace test 74 } // namespace dice 75