xref: /aosp_15_r20/external/open-dice/src/mbedtls_ops_test.cc (revision 60b67249c2e226f42f35cc6cfe66c6048e0bae6b) 
1*60b67249SAndroid Build Coastguard Worker // Copyright 2020 Google LLC
2*60b67249SAndroid Build Coastguard Worker //
3*60b67249SAndroid Build Coastguard Worker // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4*60b67249SAndroid Build Coastguard Worker // use this file except in compliance with the License. You may obtain a copy of
5*60b67249SAndroid Build Coastguard Worker // the License at
6*60b67249SAndroid Build Coastguard Worker //
7*60b67249SAndroid Build Coastguard Worker //     https://www.apache.org/licenses/LICENSE-2.0
8*60b67249SAndroid Build Coastguard Worker //
9*60b67249SAndroid Build Coastguard Worker // Unless required by applicable law or agreed to in writing, software
10*60b67249SAndroid Build Coastguard Worker // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11*60b67249SAndroid Build Coastguard Worker // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12*60b67249SAndroid Build Coastguard Worker // License for the specific language governing permissions and limitations under
13*60b67249SAndroid Build Coastguard Worker // the License.
14*60b67249SAndroid Build Coastguard Worker 
15*60b67249SAndroid Build Coastguard Worker #include <stddef.h>
16*60b67249SAndroid Build Coastguard Worker #include <stdint.h>
17*60b67249SAndroid Build Coastguard Worker #include <stdio.h>
18*60b67249SAndroid Build Coastguard Worker 
19*60b67249SAndroid Build Coastguard Worker #include <memory>
20*60b67249SAndroid Build Coastguard Worker 
21*60b67249SAndroid Build Coastguard Worker #include "dice/dice.h"
22*60b67249SAndroid Build Coastguard Worker #include "dice/known_test_values.h"
23*60b67249SAndroid Build Coastguard Worker #include "dice/test_framework.h"
24*60b67249SAndroid Build Coastguard Worker #include "dice/test_utils.h"
25*60b67249SAndroid Build Coastguard Worker #include "dice/utils.h"
26*60b67249SAndroid Build Coastguard Worker #include "pw_string/format.h"
27*60b67249SAndroid Build Coastguard Worker 
28*60b67249SAndroid Build Coastguard Worker namespace {
29*60b67249SAndroid Build Coastguard Worker 
30*60b67249SAndroid Build Coastguard Worker using dice::test::CertificateType_X509;
31*60b67249SAndroid Build Coastguard Worker using dice::test::DeriveFakeInputValue;
32*60b67249SAndroid Build Coastguard Worker using dice::test::DiceStateForTest;
33*60b67249SAndroid Build Coastguard Worker using dice::test::DumpState;
34*60b67249SAndroid Build Coastguard Worker using dice::test::KeyType_P256_COMPRESSED;
35*60b67249SAndroid Build Coastguard Worker 
TEST(DiceOpsTest,KnownAnswerZeroInput)36*60b67249SAndroid Build Coastguard Worker TEST(DiceOpsTest, KnownAnswerZeroInput) {
37*60b67249SAndroid Build Coastguard Worker   DiceStateForTest current_state = {};
38*60b67249SAndroid Build Coastguard Worker   DiceStateForTest next_state = {};
39*60b67249SAndroid Build Coastguard Worker   DiceInputValues input_values = {};
40*60b67249SAndroid Build Coastguard Worker   DiceResult result = DiceMainFlow(
41*60b67249SAndroid Build Coastguard Worker       NULL, current_state.cdi_attest, current_state.cdi_seal, &input_values,
42*60b67249SAndroid Build Coastguard Worker       sizeof(next_state.certificate), next_state.certificate,
43*60b67249SAndroid Build Coastguard Worker       &next_state.certificate_size, next_state.cdi_attest, next_state.cdi_seal);
44*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(kDiceResultOk, result);
45*60b67249SAndroid Build Coastguard Worker   DumpState(CertificateType_X509, KeyType_P256_COMPRESSED, "zero_input",
46*60b67249SAndroid Build Coastguard Worker             next_state);
47*60b67249SAndroid Build Coastguard Worker   // Both CDI values and the certificate should be deterministic.
48*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(0, memcmp(next_state.cdi_attest,
49*60b67249SAndroid Build Coastguard Worker                       dice::test::kExpectedCdiAttest_ZeroInput, DICE_CDI_SIZE));
50*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(0, memcmp(next_state.cdi_seal,
51*60b67249SAndroid Build Coastguard Worker                       dice::test::kExpectedCdiSeal_ZeroInput, DICE_CDI_SIZE));
52*60b67249SAndroid Build Coastguard Worker   ASSERT_EQ(sizeof(dice::test::kExpectedX509P256Cert_ZeroInput),
53*60b67249SAndroid Build Coastguard Worker             next_state.certificate_size);
54*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(0, memcmp(dice::test::kExpectedX509P256Cert_ZeroInput,
55*60b67249SAndroid Build Coastguard Worker                       next_state.certificate, next_state.certificate_size));
56*60b67249SAndroid Build Coastguard Worker }
57*60b67249SAndroid Build Coastguard Worker 
TEST(DiceOpsTest,KnownAnswerHashOnlyInput)58*60b67249SAndroid Build Coastguard Worker TEST(DiceOpsTest, KnownAnswerHashOnlyInput) {
59*60b67249SAndroid Build Coastguard Worker   DiceStateForTest current_state = {};
60*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("cdi_attest", DICE_CDI_SIZE, current_state.cdi_attest);
61*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("cdi_seal", DICE_CDI_SIZE, current_state.cdi_seal);
62*60b67249SAndroid Build Coastguard Worker   DiceStateForTest next_state = {};
63*60b67249SAndroid Build Coastguard Worker   DiceInputValues input_values = {};
64*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("code_hash", DICE_HASH_SIZE, input_values.code_hash);
65*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("authority_hash", DICE_HASH_SIZE,
66*60b67249SAndroid Build Coastguard Worker                        input_values.authority_hash);
67*60b67249SAndroid Build Coastguard Worker   input_values.config_type = kDiceConfigTypeInline;
68*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("inline_config", DICE_INLINE_CONFIG_SIZE,
69*60b67249SAndroid Build Coastguard Worker                        input_values.config_value);
70*60b67249SAndroid Build Coastguard Worker 
71*60b67249SAndroid Build Coastguard Worker   DiceResult result = DiceMainFlow(
72*60b67249SAndroid Build Coastguard Worker       NULL, current_state.cdi_attest, current_state.cdi_seal, &input_values,
73*60b67249SAndroid Build Coastguard Worker       sizeof(next_state.certificate), next_state.certificate,
74*60b67249SAndroid Build Coastguard Worker       &next_state.certificate_size, next_state.cdi_attest, next_state.cdi_seal);
75*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(kDiceResultOk, result);
76*60b67249SAndroid Build Coastguard Worker   DumpState(CertificateType_X509, KeyType_P256_COMPRESSED, "hash_only_input",
77*60b67249SAndroid Build Coastguard Worker             next_state);
78*60b67249SAndroid Build Coastguard Worker   // Both CDI values and the certificate should be deterministic.
79*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(
80*60b67249SAndroid Build Coastguard Worker       0, memcmp(next_state.cdi_attest,
81*60b67249SAndroid Build Coastguard Worker                 dice::test::kExpectedCdiAttest_HashOnlyInput, DICE_CDI_SIZE));
82*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(
83*60b67249SAndroid Build Coastguard Worker       0, memcmp(next_state.cdi_seal, dice::test::kExpectedCdiSeal_HashOnlyInput,
84*60b67249SAndroid Build Coastguard Worker                 DICE_CDI_SIZE));
85*60b67249SAndroid Build Coastguard Worker   ASSERT_EQ(sizeof(dice::test::kExpectedX509P256Cert_HashOnlyInput),
86*60b67249SAndroid Build Coastguard Worker             next_state.certificate_size);
87*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(0, memcmp(dice::test::kExpectedX509P256Cert_HashOnlyInput,
88*60b67249SAndroid Build Coastguard Worker                       next_state.certificate, next_state.certificate_size));
89*60b67249SAndroid Build Coastguard Worker }
90*60b67249SAndroid Build Coastguard Worker 
TEST(DiceOpsTest,KnownAnswerDescriptorInput)91*60b67249SAndroid Build Coastguard Worker TEST(DiceOpsTest, KnownAnswerDescriptorInput) {
92*60b67249SAndroid Build Coastguard Worker   DiceStateForTest current_state = {};
93*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("cdi_attest", DICE_CDI_SIZE, current_state.cdi_attest);
94*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("cdi_seal", DICE_CDI_SIZE, current_state.cdi_seal);
95*60b67249SAndroid Build Coastguard Worker 
96*60b67249SAndroid Build Coastguard Worker   DiceStateForTest next_state = {};
97*60b67249SAndroid Build Coastguard Worker 
98*60b67249SAndroid Build Coastguard Worker   DiceInputValues input_values = {};
99*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("code_hash", DICE_HASH_SIZE, input_values.code_hash);
100*60b67249SAndroid Build Coastguard Worker   uint8_t code_descriptor[100];
101*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("code_desc", sizeof(code_descriptor), code_descriptor);
102*60b67249SAndroid Build Coastguard Worker   input_values.code_descriptor = code_descriptor;
103*60b67249SAndroid Build Coastguard Worker   input_values.code_descriptor_size = sizeof(code_descriptor);
104*60b67249SAndroid Build Coastguard Worker 
105*60b67249SAndroid Build Coastguard Worker   uint8_t config_descriptor[40];
106*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("config_desc", sizeof(config_descriptor),
107*60b67249SAndroid Build Coastguard Worker                        config_descriptor);
108*60b67249SAndroid Build Coastguard Worker   input_values.config_descriptor = config_descriptor;
109*60b67249SAndroid Build Coastguard Worker   input_values.config_descriptor_size = sizeof(config_descriptor);
110*60b67249SAndroid Build Coastguard Worker   input_values.config_type = kDiceConfigTypeDescriptor;
111*60b67249SAndroid Build Coastguard Worker 
112*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("authority_hash", DICE_HASH_SIZE,
113*60b67249SAndroid Build Coastguard Worker                        input_values.authority_hash);
114*60b67249SAndroid Build Coastguard Worker   uint8_t authority_descriptor[65];
115*60b67249SAndroid Build Coastguard Worker   DeriveFakeInputValue("authority_desc", sizeof(authority_descriptor),
116*60b67249SAndroid Build Coastguard Worker                        authority_descriptor);
117*60b67249SAndroid Build Coastguard Worker   input_values.authority_descriptor = authority_descriptor;
118*60b67249SAndroid Build Coastguard Worker   input_values.authority_descriptor_size = sizeof(authority_descriptor);
119*60b67249SAndroid Build Coastguard Worker 
120*60b67249SAndroid Build Coastguard Worker   DiceResult result = DiceMainFlow(
121*60b67249SAndroid Build Coastguard Worker       NULL, current_state.cdi_attest, current_state.cdi_seal, &input_values,
122*60b67249SAndroid Build Coastguard Worker       sizeof(next_state.certificate), next_state.certificate,
123*60b67249SAndroid Build Coastguard Worker       &next_state.certificate_size, next_state.cdi_attest, next_state.cdi_seal);
124*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(kDiceResultOk, result);
125*60b67249SAndroid Build Coastguard Worker   DumpState(CertificateType_X509, KeyType_P256_COMPRESSED, "descriptor_input",
126*60b67249SAndroid Build Coastguard Worker             next_state);
127*60b67249SAndroid Build Coastguard Worker   // Both CDI values and the certificate should be deterministic.
128*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(
129*60b67249SAndroid Build Coastguard Worker       0, memcmp(next_state.cdi_attest,
130*60b67249SAndroid Build Coastguard Worker                 dice::test::kExpectedCdiAttest_DescriptorInput, DICE_CDI_SIZE));
131*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(
132*60b67249SAndroid Build Coastguard Worker       0, memcmp(next_state.cdi_seal,
133*60b67249SAndroid Build Coastguard Worker                 dice::test::kExpectedCdiSeal_DescriptorInput, DICE_CDI_SIZE));
134*60b67249SAndroid Build Coastguard Worker   ASSERT_EQ(sizeof(dice::test::kExpectedX509P256Cert_DescriptorInput),
135*60b67249SAndroid Build Coastguard Worker             next_state.certificate_size);
136*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(0, memcmp(dice::test::kExpectedX509P256Cert_DescriptorInput,
137*60b67249SAndroid Build Coastguard Worker                       next_state.certificate, next_state.certificate_size));
138*60b67249SAndroid Build Coastguard Worker }
139*60b67249SAndroid Build Coastguard Worker 
TEST(DiceOpsTest,NonZeroMode)140*60b67249SAndroid Build Coastguard Worker TEST(DiceOpsTest, NonZeroMode) {
141*60b67249SAndroid Build Coastguard Worker   constexpr size_t kModeOffsetInCert = 0x26a;
142*60b67249SAndroid Build Coastguard Worker   DiceStateForTest current_state = {};
143*60b67249SAndroid Build Coastguard Worker   DiceStateForTest next_state = {};
144*60b67249SAndroid Build Coastguard Worker   DiceInputValues input_values = {};
145*60b67249SAndroid Build Coastguard Worker   input_values.mode = kDiceModeDebug;
146*60b67249SAndroid Build Coastguard Worker   DiceResult result = DiceMainFlow(
147*60b67249SAndroid Build Coastguard Worker       NULL, current_state.cdi_attest, current_state.cdi_seal, &input_values,
148*60b67249SAndroid Build Coastguard Worker       sizeof(next_state.certificate), next_state.certificate,
149*60b67249SAndroid Build Coastguard Worker       &next_state.certificate_size, next_state.cdi_attest, next_state.cdi_seal);
150*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(kDiceResultOk, result);
151*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(kDiceModeDebug, next_state.certificate[kModeOffsetInCert]);
152*60b67249SAndroid Build Coastguard Worker }
153*60b67249SAndroid Build Coastguard Worker 
TEST(DiceOpsTest,LargeInputs)154*60b67249SAndroid Build Coastguard Worker TEST(DiceOpsTest, LargeInputs) {
155*60b67249SAndroid Build Coastguard Worker   constexpr uint8_t kBigBuffer[1024 * 1024] = {};
156*60b67249SAndroid Build Coastguard Worker   DiceStateForTest current_state = {};
157*60b67249SAndroid Build Coastguard Worker   DiceStateForTest next_state = {};
158*60b67249SAndroid Build Coastguard Worker   DiceInputValues input_values = {};
159*60b67249SAndroid Build Coastguard Worker   input_values.code_descriptor = kBigBuffer;
160*60b67249SAndroid Build Coastguard Worker   input_values.code_descriptor_size = sizeof(kBigBuffer);
161*60b67249SAndroid Build Coastguard Worker   DiceResult result = DiceMainFlow(
162*60b67249SAndroid Build Coastguard Worker       NULL, current_state.cdi_attest, current_state.cdi_seal, &input_values,
163*60b67249SAndroid Build Coastguard Worker       sizeof(next_state.certificate), next_state.certificate,
164*60b67249SAndroid Build Coastguard Worker       &next_state.certificate_size, next_state.cdi_attest, next_state.cdi_seal);
165*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(kDiceResultBufferTooSmall, result);
166*60b67249SAndroid Build Coastguard Worker }
167*60b67249SAndroid Build Coastguard Worker 
TEST(DiceOpsTest,InvalidConfigType)168*60b67249SAndroid Build Coastguard Worker TEST(DiceOpsTest, InvalidConfigType) {
169*60b67249SAndroid Build Coastguard Worker   DiceStateForTest current_state = {};
170*60b67249SAndroid Build Coastguard Worker   DiceStateForTest next_state = {};
171*60b67249SAndroid Build Coastguard Worker   DiceInputValues input_values = {};
172*60b67249SAndroid Build Coastguard Worker   input_values.config_type = (DiceConfigType)55;
173*60b67249SAndroid Build Coastguard Worker   DiceResult result = DiceMainFlow(
174*60b67249SAndroid Build Coastguard Worker       NULL, current_state.cdi_attest, current_state.cdi_seal, &input_values,
175*60b67249SAndroid Build Coastguard Worker       sizeof(next_state.certificate), next_state.certificate,
176*60b67249SAndroid Build Coastguard Worker       &next_state.certificate_size, next_state.cdi_attest, next_state.cdi_seal);
177*60b67249SAndroid Build Coastguard Worker   EXPECT_EQ(kDiceResultInvalidInput, result);
178*60b67249SAndroid Build Coastguard Worker }
179*60b67249SAndroid Build Coastguard Worker 
TEST(DiceOpsTest,PartialCertChain)180*60b67249SAndroid Build Coastguard Worker TEST(DiceOpsTest, PartialCertChain) {
181*60b67249SAndroid Build Coastguard Worker   constexpr size_t kNumLayers = 7;
182*60b67249SAndroid Build Coastguard Worker   DiceStateForTest states[kNumLayers + 1] = {};
183*60b67249SAndroid Build Coastguard Worker   DiceInputValues inputs[kNumLayers] = {};
184*60b67249SAndroid Build Coastguard Worker   for (size_t i = 0; i < kNumLayers; ++i) {
185*60b67249SAndroid Build Coastguard Worker     char seed[40];
186*60b67249SAndroid Build Coastguard Worker     pw::string::Format(seed, "code_hash_%zu", i);
187*60b67249SAndroid Build Coastguard Worker     DeriveFakeInputValue(seed, DICE_HASH_SIZE, inputs[i].code_hash);
188*60b67249SAndroid Build Coastguard Worker     pw::string::Format(seed, "authority_hash_%zu", i);
189*60b67249SAndroid Build Coastguard Worker     DeriveFakeInputValue(seed, DICE_HASH_SIZE, inputs[i].authority_hash);
190*60b67249SAndroid Build Coastguard Worker     inputs[i].config_type = kDiceConfigTypeInline;
191*60b67249SAndroid Build Coastguard Worker     pw::string::Format(seed, "inline_config_%zu", i);
192*60b67249SAndroid Build Coastguard Worker     DeriveFakeInputValue(seed, DICE_INLINE_CONFIG_SIZE, inputs[i].config_value);
193*60b67249SAndroid Build Coastguard Worker     inputs[i].mode = kDiceModeNormal;
194*60b67249SAndroid Build Coastguard Worker     EXPECT_EQ(
195*60b67249SAndroid Build Coastguard Worker         kDiceResultOk,
196*60b67249SAndroid Build Coastguard Worker         DiceMainFlow(/*context=*/NULL, states[i].cdi_attest, states[i].cdi_seal,
197*60b67249SAndroid Build Coastguard Worker                      &inputs[i], sizeof(states[i + 1].certificate),
198*60b67249SAndroid Build Coastguard Worker                      states[i + 1].certificate, &states[i + 1].certificate_size,
199*60b67249SAndroid Build Coastguard Worker                      states[i + 1].cdi_attest, states[i + 1].cdi_seal));
200*60b67249SAndroid Build Coastguard Worker     char suffix[40];
201*60b67249SAndroid Build Coastguard Worker     pw::string::Format(suffix, "part_cert_chain_%zu", i);
202*60b67249SAndroid Build Coastguard Worker     DumpState(CertificateType_X509, KeyType_P256_COMPRESSED, suffix,
203*60b67249SAndroid Build Coastguard Worker               states[i + 1]);
204*60b67249SAndroid Build Coastguard Worker   }
205*60b67249SAndroid Build Coastguard Worker   // Use the first derived CDI cert as the 'root' of partial chain.
206*60b67249SAndroid Build Coastguard Worker   EXPECT_TRUE(dice::test::VerifyCertificateChain(
207*60b67249SAndroid Build Coastguard Worker       CertificateType_X509, states[1].certificate, states[1].certificate_size,
208*60b67249SAndroid Build Coastguard Worker       &states[2], kNumLayers - 1, /*is_partial_chain=*/true));
209*60b67249SAndroid Build Coastguard Worker }
210*60b67249SAndroid Build Coastguard Worker 
TEST(DiceOpsTest,FullCertChain)211*60b67249SAndroid Build Coastguard Worker TEST(DiceOpsTest, FullCertChain) {
212*60b67249SAndroid Build Coastguard Worker   constexpr size_t kNumLayers = 7;
213*60b67249SAndroid Build Coastguard Worker   DiceStateForTest states[kNumLayers + 1] = {};
214*60b67249SAndroid Build Coastguard Worker   DiceInputValues inputs[kNumLayers] = {};
215*60b67249SAndroid Build Coastguard Worker   for (size_t i = 0; i < kNumLayers; ++i) {
216*60b67249SAndroid Build Coastguard Worker     char seed[40];
217*60b67249SAndroid Build Coastguard Worker     pw::string::Format(seed, "code_hash_%zu", i);
218*60b67249SAndroid Build Coastguard Worker     DeriveFakeInputValue(seed, DICE_HASH_SIZE, inputs[i].code_hash);
219*60b67249SAndroid Build Coastguard Worker     pw::string::Format(seed, "authority_hash_%zu", i);
220*60b67249SAndroid Build Coastguard Worker     DeriveFakeInputValue(seed, DICE_HASH_SIZE, inputs[i].authority_hash);
221*60b67249SAndroid Build Coastguard Worker     inputs[i].config_type = kDiceConfigTypeInline;
222*60b67249SAndroid Build Coastguard Worker     pw::string::Format(seed, "inline_config_%zu", i);
223*60b67249SAndroid Build Coastguard Worker     DeriveFakeInputValue(seed, DICE_INLINE_CONFIG_SIZE, inputs[i].config_value);
224*60b67249SAndroid Build Coastguard Worker     inputs[i].mode = kDiceModeNormal;
225*60b67249SAndroid Build Coastguard Worker     EXPECT_EQ(
226*60b67249SAndroid Build Coastguard Worker         kDiceResultOk,
227*60b67249SAndroid Build Coastguard Worker         DiceMainFlow(/*context=*/NULL, states[i].cdi_attest, states[i].cdi_seal,
228*60b67249SAndroid Build Coastguard Worker                      &inputs[i], sizeof(states[i + 1].certificate),
229*60b67249SAndroid Build Coastguard Worker                      states[i + 1].certificate, &states[i + 1].certificate_size,
230*60b67249SAndroid Build Coastguard Worker                      states[i + 1].cdi_attest, states[i + 1].cdi_seal));
231*60b67249SAndroid Build Coastguard Worker     char suffix[40];
232*60b67249SAndroid Build Coastguard Worker     pw::string::Format(suffix, "full_cert_chain_%zu", i);
233*60b67249SAndroid Build Coastguard Worker     DumpState(CertificateType_X509, KeyType_P256_COMPRESSED, suffix,
234*60b67249SAndroid Build Coastguard Worker               states[i + 1]);
235*60b67249SAndroid Build Coastguard Worker   }
236*60b67249SAndroid Build Coastguard Worker   // Use a fake self-signed UDS cert as the 'root'.
237*60b67249SAndroid Build Coastguard Worker   uint8_t root_certificate[dice::test::kTestCertSize];
238*60b67249SAndroid Build Coastguard Worker   size_t root_certificate_size = 0;
239*60b67249SAndroid Build Coastguard Worker   dice::test::CreateFakeUdsCertificate(
240*60b67249SAndroid Build Coastguard Worker       NULL, states[0].cdi_attest, dice::test::CertificateType_X509,
241*60b67249SAndroid Build Coastguard Worker       dice::test::KeyType_P256_COMPRESSED, root_certificate,
242*60b67249SAndroid Build Coastguard Worker       &root_certificate_size);
243*60b67249SAndroid Build Coastguard Worker   EXPECT_TRUE(dice::test::VerifyCertificateChain(
244*60b67249SAndroid Build Coastguard Worker       CertificateType_X509, root_certificate, root_certificate_size, &states[1],
245*60b67249SAndroid Build Coastguard Worker       kNumLayers,
246*60b67249SAndroid Build Coastguard Worker       /*is_partial_chain=*/false));
247*60b67249SAndroid Build Coastguard Worker }
248*60b67249SAndroid Build Coastguard Worker }  // namespace
249