1 // Copyright 2020 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not 4 // use this file except in compliance with the License. You may obtain a copy of 5 // the License at 6 // 7 // https://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12 // License for the specific language governing permissions and limitations under 13 // the License. 14 15 #ifndef DICE_TEST_UTILS_H_ 16 #define DICE_TEST_UTILS_H_ 17 18 #include <stddef.h> 19 #include <stdint.h> 20 21 #include "dice/dice.h" 22 23 namespace dice { 24 namespace test { 25 26 constexpr size_t kTestCertSize = 2048; 27 28 enum CertificateType { 29 CertificateType_X509, 30 CertificateType_Cbor, 31 }; 32 33 enum KeyType { 34 KeyType_Ed25519, 35 KeyType_P256, 36 KeyType_P384, 37 }; 38 39 struct DiceStateForTest { 40 uint8_t cdi_attest[DICE_CDI_SIZE]; 41 uint8_t cdi_seal[DICE_CDI_SIZE]; 42 uint8_t certificate[kTestCertSize]; 43 size_t certificate_size; 44 }; 45 46 // Dumps |state| to a set of files in the current directory with the given 47 // |suffix|. 48 void DumpState(CertificateType cert_type, KeyType key_type, const char* suffix, 49 const DiceStateForTest& state); 50 51 // Deterministically derives |length| bytes from |seed|. 52 void DeriveFakeInputValue(const char* seed, size_t length, uint8_t* output); 53 54 // Generates a self-signed X.509 UDS certificate for the given |uds| value. The 55 // signature scheme is ED25519-SHA512. 56 void CreateFakeUdsCertificate(void* context, const uint8_t uds[32], 57 CertificateType cert_type, KeyType key_type, 58 uint8_t certificate[kTestCertSize], 59 size_t* certificate_size); 60 61 // Verify that a single CDI certificate is properly signed with the given key 62 // and contains the expected payload. 63 bool VerifyCoseSign1(const uint8_t* certificate, size_t certificate_size, 64 const uint8_t* external_aad, size_t external_aad_size, 65 const uint8_t* encoded_public_key, 66 size_t encoded_public_key_size, 67 const uint8_t* expected_payload, 68 size_t expected_payload_size); 69 70 // Verifies a chain of CDI certificates given by |states| against 71 // |root_certificate|. If |is_partial_chain| is set, then root_certificate does 72 // not need to be self signed. For X.509 certificate chains, only the standard 73 // certificate fields and extensions are checked, other custom extensions are 74 // ignored even if marked critical. For this reason, additional tests are needed 75 // to fully verify a certificate chain, this is just useful for checking that a 76 // chain is correctly constructed in terms of standard fields. Similarly for 77 // CBOR certificate chains the chaining construction is verified but the content 78 // of other fields is ignored. 79 bool VerifyCertificateChain(CertificateType cert_type, 80 const uint8_t* root_certificate, 81 size_t root_certificate_size, 82 const DiceStateForTest states[], 83 size_t num_dice_states, bool is_partial_chain); 84 85 } // namespace test 86 } // namespace dice 87 88 #endif // DICE_TEST_UTILS_ 89