1*60b67249SAndroid Build Coastguard Worker // Copyright 2020 Google LLC 2*60b67249SAndroid Build Coastguard Worker // 3*60b67249SAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License"); you may not 4*60b67249SAndroid Build Coastguard Worker // use this file except in compliance with the License. You may obtain a copy of 5*60b67249SAndroid Build Coastguard Worker // the License at 6*60b67249SAndroid Build Coastguard Worker // 7*60b67249SAndroid Build Coastguard Worker // https://www.apache.org/licenses/LICENSE-2.0 8*60b67249SAndroid Build Coastguard Worker // 9*60b67249SAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software 10*60b67249SAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 11*60b67249SAndroid Build Coastguard Worker // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 12*60b67249SAndroid Build Coastguard Worker // License for the specific language governing permissions and limitations under 13*60b67249SAndroid Build Coastguard Worker // the License. 14*60b67249SAndroid Build Coastguard Worker 15*60b67249SAndroid Build Coastguard Worker #ifndef DICE_TEST_UTILS_H_ 16*60b67249SAndroid Build Coastguard Worker #define DICE_TEST_UTILS_H_ 17*60b67249SAndroid Build Coastguard Worker 18*60b67249SAndroid Build Coastguard Worker #include <stddef.h> 19*60b67249SAndroid Build Coastguard Worker #include <stdint.h> 20*60b67249SAndroid Build Coastguard Worker 21*60b67249SAndroid Build Coastguard Worker #include "dice/dice.h" 22*60b67249SAndroid Build Coastguard Worker 23*60b67249SAndroid Build Coastguard Worker namespace dice { 24*60b67249SAndroid Build Coastguard Worker namespace test { 25*60b67249SAndroid Build Coastguard Worker 26*60b67249SAndroid Build Coastguard Worker constexpr size_t kTestCertSize = 2048; 27*60b67249SAndroid Build Coastguard Worker 28*60b67249SAndroid Build Coastguard Worker enum CertificateType { 29*60b67249SAndroid Build Coastguard Worker CertificateType_X509, 30*60b67249SAndroid Build Coastguard Worker CertificateType_Cbor, 31*60b67249SAndroid Build Coastguard Worker }; 32*60b67249SAndroid Build Coastguard Worker 33*60b67249SAndroid Build Coastguard Worker enum KeyType { 34*60b67249SAndroid Build Coastguard Worker KeyType_Ed25519, 35*60b67249SAndroid Build Coastguard Worker KeyType_P256, 36*60b67249SAndroid Build Coastguard Worker KeyType_P256_COMPRESSED, 37*60b67249SAndroid Build Coastguard Worker KeyType_P384, 38*60b67249SAndroid Build Coastguard Worker }; 39*60b67249SAndroid Build Coastguard Worker 40*60b67249SAndroid Build Coastguard Worker struct DiceStateForTest { 41*60b67249SAndroid Build Coastguard Worker uint8_t cdi_attest[DICE_CDI_SIZE]; 42*60b67249SAndroid Build Coastguard Worker uint8_t cdi_seal[DICE_CDI_SIZE]; 43*60b67249SAndroid Build Coastguard Worker uint8_t certificate[kTestCertSize]; 44*60b67249SAndroid Build Coastguard Worker size_t certificate_size; 45*60b67249SAndroid Build Coastguard Worker }; 46*60b67249SAndroid Build Coastguard Worker 47*60b67249SAndroid Build Coastguard Worker // Dumps |state| to a set of files in the current directory with the given 48*60b67249SAndroid Build Coastguard Worker // |suffix|. 49*60b67249SAndroid Build Coastguard Worker void DumpState(CertificateType cert_type, KeyType key_type, const char* suffix, 50*60b67249SAndroid Build Coastguard Worker const DiceStateForTest& state); 51*60b67249SAndroid Build Coastguard Worker 52*60b67249SAndroid Build Coastguard Worker // Deterministically derives |length| bytes from |seed|. 53*60b67249SAndroid Build Coastguard Worker void DeriveFakeInputValue(const char* seed, size_t length, uint8_t* output); 54*60b67249SAndroid Build Coastguard Worker 55*60b67249SAndroid Build Coastguard Worker // Generates a self-signed X.509 UDS certificate for the given |uds| value. The 56*60b67249SAndroid Build Coastguard Worker // signature scheme is ED25519-SHA512. 57*60b67249SAndroid Build Coastguard Worker void CreateFakeUdsCertificate(void* context, const uint8_t uds[32], 58*60b67249SAndroid Build Coastguard Worker CertificateType cert_type, KeyType key_type, 59*60b67249SAndroid Build Coastguard Worker uint8_t certificate[kTestCertSize], 60*60b67249SAndroid Build Coastguard Worker size_t* certificate_size); 61*60b67249SAndroid Build Coastguard Worker 62*60b67249SAndroid Build Coastguard Worker // Verify that a single CDI certificate is properly signed with the given key 63*60b67249SAndroid Build Coastguard Worker // and contains the expected payload. 64*60b67249SAndroid Build Coastguard Worker bool VerifyCoseSign1(const uint8_t* certificate, size_t certificate_size, 65*60b67249SAndroid Build Coastguard Worker const uint8_t* external_aad, size_t external_aad_size, 66*60b67249SAndroid Build Coastguard Worker const uint8_t* encoded_public_key, 67*60b67249SAndroid Build Coastguard Worker size_t encoded_public_key_size, 68*60b67249SAndroid Build Coastguard Worker const uint8_t* expected_payload, 69*60b67249SAndroid Build Coastguard Worker size_t expected_payload_size); 70*60b67249SAndroid Build Coastguard Worker 71*60b67249SAndroid Build Coastguard Worker // Verifies a chain of CDI certificates given by |states| against 72*60b67249SAndroid Build Coastguard Worker // |root_certificate|. If |is_partial_chain| is set, then root_certificate does 73*60b67249SAndroid Build Coastguard Worker // not need to be self signed. For X.509 certificate chains, only the standard 74*60b67249SAndroid Build Coastguard Worker // certificate fields and extensions are checked, other custom extensions are 75*60b67249SAndroid Build Coastguard Worker // ignored even if marked critical. For this reason, additional tests are needed 76*60b67249SAndroid Build Coastguard Worker // to fully verify a certificate chain, this is just useful for checking that a 77*60b67249SAndroid Build Coastguard Worker // chain is correctly constructed in terms of standard fields. Similarly for 78*60b67249SAndroid Build Coastguard Worker // CBOR certificate chains the chaining construction is verified but the content 79*60b67249SAndroid Build Coastguard Worker // of other fields is ignored. 80*60b67249SAndroid Build Coastguard Worker bool VerifyCertificateChain(CertificateType cert_type, 81*60b67249SAndroid Build Coastguard Worker const uint8_t* root_certificate, 82*60b67249SAndroid Build Coastguard Worker size_t root_certificate_size, 83*60b67249SAndroid Build Coastguard Worker const DiceStateForTest states[], 84*60b67249SAndroid Build Coastguard Worker size_t num_dice_states, bool is_partial_chain); 85*60b67249SAndroid Build Coastguard Worker 86*60b67249SAndroid Build Coastguard Worker } // namespace test 87*60b67249SAndroid Build Coastguard Worker } // namespace dice 88*60b67249SAndroid Build Coastguard Worker 89*60b67249SAndroid Build Coastguard Worker #endif // DICE_TEST_UTILS_ 90