Make DICE_ID_SIZE a constant.
This patch introduces DICE_ID_SIZE replacing literal 20 as id size.
Test: N/A
Change-Id: I2b1ccfb1f6925360378493f689baf41a364ef800
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/65580
Reviewed-by: Andrew Scull <ascull@google.com>
Reviewed-by: Darren Krahn <dkrahn@google.com>
Pigweed-Auto-Submit: Janis Danisevskis <jdanis@google.com>
Commit-Queue: Janis Danisevskis <jdanis@google.com>
diff --git a/include/dice/dice.h b/include/dice/dice.h
index 9731247..2e83424 100644
--- a/include/dice/dice.h
+++ b/include/dice/dice.h
@@ -27,6 +27,7 @@
#define DICE_HIDDEN_SIZE 64
#define DICE_INLINE_CONFIG_SIZE 64
#define DICE_PRIVATE_KEY_SEED_SIZE 32
+#define DICE_ID_SIZE 20
typedef enum {
kDiceResultOk,
@@ -108,7 +109,7 @@
DiceResult DiceDeriveCdiCertificateId(void* context,
const uint8_t* cdi_public_key,
size_t cdi_public_key_size,
- uint8_t id[20]);
+ uint8_t id[DICE_ID_SIZE]);
// Executes the main DICE flow.
//
diff --git a/src/boringssl_cert_op.c b/src/boringssl_cert_op.c
index c4cd73a..8ff0503 100644
--- a/src/boringssl_cert_op.c
+++ b/src/boringssl_cert_op.c
@@ -54,8 +54,8 @@
DECLARE_ASN1_FUNCTIONS(DiceExtensionAsn1)
IMPLEMENT_ASN1_FUNCTIONS(DiceExtensionAsn1)
-static DiceResult AddStandardFields(X509* x509, const uint8_t subject_id[20],
- const uint8_t authority_id[20]) {
+static DiceResult AddStandardFields(X509* x509, const uint8_t subject_id[DICE_ID_SIZE],
+ const uint8_t authority_id[DICE_ID_SIZE]) {
// clang-format on
DiceResult result = kDiceResultOk;
@@ -98,7 +98,7 @@
goto out;
}
- serial_bn = BN_bin2bn(subject_id, 20, NULL);
+ serial_bn = BN_bin2bn(subject_id, DICE_ID_SIZE, NULL);
if (!serial_bn) {
result = kDiceResultPlatformError;
goto out;
@@ -110,7 +110,7 @@
}
uint8_t id_hex[40];
- DiceHexEncode(authority_id, 20, id_hex, sizeof(id_hex));
+ DiceHexEncode(authority_id, DICE_ID_SIZE, id_hex, sizeof(id_hex));
if (!X509_NAME_add_entry_by_NID(issuer_name, NID_serialNumber, MBSTRING_UTF8,
id_hex, sizeof(id_hex), 0, 0)) {
result = kDiceResultPlatformError;
@@ -121,7 +121,7 @@
goto out;
}
- DiceHexEncode(subject_id, 20, id_hex, sizeof(id_hex));
+ DiceHexEncode(subject_id, DICE_ID_SIZE, id_hex, sizeof(id_hex));
if (!X509_NAME_add_entry_by_NID(subject_name, NID_serialNumber, MBSTRING_UTF8,
id_hex, sizeof(id_hex), 0, 0)) {
result = kDiceResultPlatformError;
@@ -174,9 +174,9 @@
return result;
}
-static DiceResult AddStandardExtensions(X509* x509,
- const uint8_t subject_id[20],
- const uint8_t authority_id[20]) {
+static DiceResult AddStandardExtensions(
+ X509* x509, const uint8_t subject_id[DICE_ID_SIZE],
+ const uint8_t authority_id[DICE_ID_SIZE]) {
DiceResult result = kDiceResultOk;
// Initialize variables that are cleaned up on 'goto out'.
@@ -201,7 +201,8 @@
result = kDiceResultPlatformError;
goto out;
}
- if (!ASN1_OCTET_STRING_set(authority_key_id->keyid, authority_id, 20)) {
+ if (!ASN1_OCTET_STRING_set(authority_key_id->keyid, authority_id,
+ DICE_ID_SIZE)) {
result = kDiceResultPlatformError;
goto out;
}
@@ -213,7 +214,7 @@
result = kDiceResultPlatformError;
goto out;
}
- if (!ASN1_OCTET_STRING_set(subject_key_id, subject_id, 20)) {
+ if (!ASN1_OCTET_STRING_set(subject_key_id, subject_id, DICE_ID_SIZE)) {
result = kDiceResultPlatformError;
goto out;
}
@@ -497,7 +498,7 @@
}
static DiceResult GetIdFromKey(void* context, const EVP_PKEY* key,
- uint8_t id[20]) {
+ uint8_t id[DICE_ID_SIZE]) {
uint8_t raw_public_key[32];
size_t raw_public_key_size = sizeof(raw_public_key);
if (!EVP_PKEY_get_raw_public_key(key, raw_public_key, &raw_public_key_size)) {
@@ -544,12 +545,12 @@
goto out;
}
- uint8_t authority_id[20];
+ uint8_t authority_id[DICE_ID_SIZE];
result = GetIdFromKey(context, authority_key, authority_id);
if (result != kDiceResultOk) {
goto out;
}
- uint8_t subject_id[20];
+ uint8_t subject_id[DICE_ID_SIZE];
result = GetIdFromKey(context, subject_key, subject_id);
if (result != kDiceResultOk) {
goto out;
diff --git a/src/cbor_cert_op.c b/src/cbor_cert_op.c
index 3e9ebeb..915d443 100644
--- a/src/cbor_cert_op.c
+++ b/src/cbor_cert_op.c
@@ -325,7 +325,7 @@
goto out;
}
- uint8_t subject_id[20];
+ uint8_t subject_id[DICE_ID_SIZE];
result = DiceDeriveCdiCertificateId(context, subject_public_key,
DICE_PUBLIC_KEY_SIZE, subject_id);
if (result != kDiceResultOk) {
@@ -343,7 +343,7 @@
goto out;
}
- uint8_t authority_id[20];
+ uint8_t authority_id[DICE_ID_SIZE];
result = DiceDeriveCdiCertificateId(context, authority_public_key,
DICE_PUBLIC_KEY_SIZE, authority_id);
if (result != kDiceResultOk) {
diff --git a/src/dice.c b/src/dice.c
index 8edc02b..df1dee3 100644
--- a/src/dice.c
+++ b/src/dice.c
@@ -49,7 +49,7 @@
DiceResult DiceDeriveCdiCertificateId(void* context,
const uint8_t* cdi_public_key,
size_t cdi_public_key_size,
- uint8_t id[20]) {
+ uint8_t id[DICE_ID_SIZE]) {
// Use the public key as input key material, with fixed salt and info.
DiceResult result =
DiceKdf(context, /*length=*/20, cdi_public_key, cdi_public_key_size,
diff --git a/src/mbedtls_ops.c b/src/mbedtls_ops.c
index de928d7..7190d0e 100644
--- a/src/mbedtls_ops.c
+++ b/src/mbedtls_ops.c
@@ -72,7 +72,7 @@
static DiceResult GetIdFromKey(void* context,
const mbedtls_pk_context* pk_context,
- uint8_t id[20]) {
+ uint8_t id[DICE_ID_SIZE]) {
uint8_t raw_public_key[33];
size_t raw_public_key_size = 0;
mbedtls_ecp_keypair* key = mbedtls_pk_ec(*pk_context);
@@ -87,17 +87,19 @@
}
// 54 byte name is prefix (13), hex id (40), and a null terminator.
-static void GetNameFromId(const uint8_t id[20], char name[54]) {
+static void GetNameFromId(const uint8_t id[DICE_ID_SIZE], char name[54]) {
strcpy(name, "serialNumber=");
- DiceHexEncode(id, /*num_bytes=*/20, (uint8_t*)&name[13], /*out_size=*/40);
+ DiceHexEncode(id, /*num_bytes=*/DICE_ID_SIZE, (uint8_t*)&name[13],
+ /*out_size=*/40);
name[53] = '\0';
}
-static DiceResult GetSubjectKeyIdFromId(const uint8_t id[20],
+static DiceResult GetSubjectKeyIdFromId(const uint8_t id[DICE_ID_SIZE],
size_t buffer_size, uint8_t* buffer,
size_t* actual_size) {
uint8_t* pos = buffer + buffer_size;
- int length_or_error = mbedtls_asn1_write_octet_string(&pos, buffer, id, 20);
+ int length_or_error =
+ mbedtls_asn1_write_octet_string(&pos, buffer, id, DICE_ID_SIZE);
if (length_or_error < 0) {
return kDiceResultPlatformError;
}
@@ -126,11 +128,12 @@
return length;
}
-static DiceResult GetAuthorityKeyIdFromId(const uint8_t id[20],
+static DiceResult GetAuthorityKeyIdFromId(const uint8_t id[DICE_ID_SIZE],
size_t buffer_size, uint8_t* buffer,
size_t* actual_size) {
uint8_t* pos = buffer + buffer_size;
- int length_or_error = mbedtls_asn1_write_raw_buffer(&pos, buffer, id, 20);
+ int length_or_error =
+ mbedtls_asn1_write_raw_buffer(&pos, buffer, id, DICE_ID_SIZE);
if (length_or_error < 0) {
return kDiceResultPlatformError;
}
@@ -330,7 +333,7 @@
goto out;
}
- uint8_t authority_id[20];
+ uint8_t authority_id[DICE_ID_SIZE];
result = GetIdFromKey(context, &authority_key_context, authority_id);
if (result != kDiceResultOk) {
goto out;
@@ -350,7 +353,7 @@
goto out;
}
- uint8_t subject_id[20];
+ uint8_t subject_id[DICE_ID_SIZE];
result = GetIdFromKey(context, &subject_key_context, subject_id);
if (result != kDiceResultOk) {
goto out;
diff --git a/src/template_cbor_cert_op.c b/src/template_cbor_cert_op.c
index 52eb131..c2f6f42 100644
--- a/src/template_cbor_cert_op.c
+++ b/src/template_cbor_cert_op.c
@@ -191,7 +191,7 @@
goto out;
}
- uint8_t subject_id[20];
+ uint8_t subject_id[DICE_ID_SIZE];
result = DiceDeriveCdiCertificateId(context, subject_public_key,
DICE_PUBLIC_KEY_SIZE, subject_id);
if (result != kDiceResultOk) {
@@ -208,7 +208,7 @@
goto out;
}
- uint8_t authority_id[20];
+ uint8_t authority_id[DICE_ID_SIZE];
result = DiceDeriveCdiCertificateId(context, authority_public_key,
DICE_PUBLIC_KEY_SIZE, authority_id);
if (result != kDiceResultOk) {
diff --git a/src/template_cert_op.c b/src/template_cert_op.c
index 23929ea..0df423a 100644
--- a/src/template_cert_op.c
+++ b/src/template_cert_op.c
@@ -195,7 +195,7 @@
ED25519_keypair_from_seed(subject_public_key, subject_bssl_private_key,
subject_private_key_seed);
- uint8_t subject_id[20];
+ uint8_t subject_id[DICE_ID_SIZE];
result =
DiceDeriveCdiCertificateId(context, subject_public_key, 32, subject_id);
if (result != kDiceResultOk) {
@@ -209,7 +209,7 @@
ED25519_keypair_from_seed(authority_public_key, authority_bssl_private_key,
authority_private_key_seed);
- uint8_t authority_id[20];
+ uint8_t authority_id[DICE_ID_SIZE];
result = DiceDeriveCdiCertificateId(context, authority_public_key, 32,
authority_id);
if (result != kDiceResultOk) {
diff --git a/src/test_utils.cc b/src/test_utils.cc
index 48949d1..e5dbd6f 100644
--- a/src/test_utils.cc
+++ b/src/test_utils.cc
@@ -202,7 +202,7 @@
return nullptr;
}
-void CreateX509UdsCertificate(EVP_PKEY* key, const uint8_t id[20],
+void CreateX509UdsCertificate(EVP_PKEY* key, const uint8_t id[DICE_ID_SIZE],
uint8_t certificate[dice::test::kTestCertSize],
size_t* certificate_size) {
bssl::UniquePtr<X509> x509(X509_new());
@@ -213,7 +213,7 @@
X509_set_serialNumber(x509.get(), serial.get());
uint8_t id_hex[40];
- DiceHexEncode(id, 20, id_hex, sizeof(id_hex));
+ DiceHexEncode(id, DICE_ID_SIZE, id_hex, sizeof(id_hex));
bssl::UniquePtr<X509_NAME> issuer_name(X509_NAME_new());
X509_NAME_add_entry_by_NID(issuer_name.get(), NID_serialNumber, MBSTRING_UTF8,
id_hex, sizeof(id_hex), 0, 0);
@@ -228,7 +228,7 @@
X509_set_notAfter(x509.get(), not_after.get());
bssl::UniquePtr<ASN1_OCTET_STRING> subject_key_id(ASN1_OCTET_STRING_new());
- ASN1_OCTET_STRING_set(subject_key_id.get(), id, 20);
+ ASN1_OCTET_STRING_set(subject_key_id.get(), id, DICE_ID_SIZE);
bssl::UniquePtr<X509_EXTENSION> subject_key_id_ext(X509V3_EXT_i2d(
NID_subject_key_identifier, /*crit=*/0, subject_key_id.get()));
X509_add_ext(x509.get(), subject_key_id_ext.get(), /*loc=*/-1);
@@ -299,8 +299,8 @@
void CreateCborUdsCertificate(
const uint8_t private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
- const uint8_t id[20], uint8_t certificate[dice::test::kTestCertSize],
- size_t* certificate_size) {
+ const uint8_t id[DICE_ID_SIZE],
+ uint8_t certificate[dice::test::kTestCertSize], size_t* certificate_size) {
const uint8_t kProtectedAttributesCbor[3] = {
0xa1 /* map(1) */, 0x01 /* alg(1) */, 0x27 /* EdDSA(-8) */};
const int64_t kCwtIssuerLabel = 1;
@@ -331,7 +331,7 @@
// Simple CWT payload with issuer, subject, and use the same subject public
// key field as a CDI certificate to make verification easy.
char id_hex[41];
- DiceHexEncode(id, 20, id_hex, sizeof(id_hex));
+ DiceHexEncode(id, DICE_ID_SIZE, id_hex, sizeof(id_hex));
id_hex[40] = '\0';
ScopedCbor cwt(cn_cbor_map_create(&error));
cn_cbor_mapput_int(cwt.get(), kCwtIssuerLabel,
@@ -627,7 +627,7 @@
bssl::UniquePtr<EVP_PKEY> key(
KeyFromRawKey(raw_key, key_type, raw_public_key, &raw_public_key_size));
- uint8_t id[20];
+ uint8_t id[DICE_ID_SIZE];
DiceDeriveCdiCertificateId(context, raw_public_key, raw_public_key_size, id);
if (cert_type == CertificateType_X509) {