Support switching algorithms in DICE derivation
Add an argument to describe which principal is being referenced for some
functions. This allows e.g. deriving authority and subject keys from the
CDIs based on different derivation methods and different signing
algorithms.
It's assumed that the code is running in the context of the authority
and, as such, the subject's keys are not used. This means that the
principal is not passed to signing and verification functions and the
authority's keys are assumed.
Configurations that only support a single algorithm can ignore the
principal arguments.
Bug: 341630707
Change-Id: Ic8e1ec765c15674c8ffac9f238516b554f452996
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/227311
Lint: Lint 🤖 <android-build-ayeaye@system.gserviceaccount.com>
Reviewed-by: Alice Wang <aliceywang@google.com>
Reviewed-by: Darren Krahn <dkrahn@google.com>
Presubmit-Verified: CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com>
Commit-Queue: Darren Krahn <dkrahn@google.com>
diff --git a/include/dice/config/boringssl_multialg/dice/config.h b/include/dice/config/boringssl_multialg/dice/config.h
index 19ad651..4ddc03b 100644
--- a/include/dice/config/boringssl_multialg/dice/config.h
+++ b/include/dice/config/boringssl_multialg/dice/config.h
@@ -18,6 +18,8 @@
#include <stddef.h>
#include <stdint.h>
+#include "dice/types.h"
+
// Upper bound of sizes based on P-384.
#define DICE_PUBLIC_KEY_BUFFER_SIZE 96
#define DICE_PRIVATE_KEY_SIZE 64
@@ -36,9 +38,21 @@
// Provides the algorithm configuration and must be passed as the context
// parameter to every function in the library.
typedef struct DiceContext_ {
- DiceKeyAlgorithm key_algorithm;
+ DiceKeyAlgorithm authority_algorithm;
+ DiceKeyAlgorithm subject_algorithm;
} DiceContext;
+static inline DiceKeyAlgorithm DiceGetKeyAlgorithm(void* context,
+ DicePrincipal principal) {
+ DiceContext* c = (DiceContext*)context;
+ switch (principal) {
+ case kDicePrincipalAuthority:
+ return c->authority_algorithm;
+ case kDicePrincipalSubject:
+ return c->subject_algorithm;
+ }
+}
+
#ifdef __cplusplus
} // extern "C"
#endif
diff --git a/include/dice/ops.h b/include/dice/ops.h
index a6074ae..6436279 100644
--- a/include/dice/ops.h
+++ b/include/dice/ops.h
@@ -28,7 +28,8 @@
// Retrieves the DICE key parameters based on the key pair generation
// algorithm set up at compile time or in the |context| parameter at runtime.
-DiceResult DiceGetKeyParam(void* context, DiceKeyParam* key_param);
+DiceResult DiceGetKeyParam(void* context, DicePrincipal principal,
+ DiceKeyParam* key_param);
// An implementation of SHA-512, or an alternative hash. Hashes |input_size|
// bytes of |input| and populates |output| on success.
@@ -46,7 +47,7 @@
// Since this is deterministic, |seed| is as sensitive as a private key and can
// be used directly as the private key. The |private_key| may use an
// implementation defined format so may only be passed to the |sign| operation.
-DiceResult DiceKeypairFromSeed(void* context,
+DiceResult DiceKeypairFromSeed(void* context, DicePrincipal principal,
const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE],
uint8_t private_key[DICE_PRIVATE_KEY_SIZE]);
diff --git a/include/dice/ops/trait/cose.h b/include/dice/ops/trait/cose.h
index 7b11c89..3fc7054 100644
--- a/include/dice/ops/trait/cose.h
+++ b/include/dice/ops/trait/cose.h
@@ -33,8 +33,9 @@
// kDiceResultBufferTooSmall is returned |encoded_size| will be set to the
// required size of the buffer.
DiceResult DiceCoseEncodePublicKey(
- void* context, const uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE],
- size_t buffer_size, uint8_t* buffer, size_t* encoded_size);
+ void* context, DicePrincipal principal,
+ const uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE], size_t buffer_size,
+ uint8_t* buffer, size_t* encoded_size);
// Signs the payload and additional authenticated data, formatting the result
// into a COSE_Sign1 structure. There are no unprotected attributes included in
diff --git a/include/dice/types.h b/include/dice/types.h
index 38eebc6..3f004df 100644
--- a/include/dice/types.h
+++ b/include/dice/types.h
@@ -26,6 +26,11 @@
} DiceResult;
typedef enum {
+ kDicePrincipalAuthority,
+ kDicePrincipalSubject,
+} DicePrincipal;
+
+typedef enum {
kDiceModeNotInitialized,
kDiceModeNormal,
kDiceModeDebug,
diff --git a/src/android.c b/src/android.c
index e0c2ada..2a0143a 100644
--- a/src/android.c
+++ b/src/android.c
@@ -159,7 +159,8 @@
goto out;
}
// Derive attestation key pair.
- result = DiceKeypairFromSeed(context, current_cdi_private_key_seed,
+ result = DiceKeypairFromSeed(context, kDicePrincipalAuthority,
+ current_cdi_private_key_seed,
attestation_public_key, attestation_private_key);
if (result != kDiceResultOk) {
goto out;
@@ -180,8 +181,9 @@
}
size_t encoded_pub_key_size = 0;
- result = DiceCoseEncodePublicKey(context, attestation_public_key, buffer_size,
- buffer, &encoded_pub_key_size);
+ result = DiceCoseEncodePublicKey(context, kDicePrincipalAuthority,
+ attestation_public_key, buffer_size, buffer,
+ &encoded_pub_key_size);
if (result == kDiceResultOk) {
buffer += encoded_pub_key_size;
buffer_size -= encoded_pub_key_size;
diff --git a/src/boringssl_cert_op.c b/src/boringssl_cert_op.c
index 18fdc4e..21ce297 100644
--- a/src/boringssl_cert_op.c
+++ b/src/boringssl_cert_op.c
@@ -585,7 +585,7 @@
goto out;
}
DiceKeyParam key_param;
- result = DiceGetKeyParam(context, &key_param);
+ result = DiceGetKeyParam(context, kDicePrincipalSubject, &key_param);
if (result != kDiceResultOk) {
goto out;
}
diff --git a/src/boringssl_ed25519_ops.c b/src/boringssl_ed25519_ops.c
index 947e99d..f4863e8 100644
--- a/src/boringssl_ed25519_ops.c
+++ b/src/boringssl_ed25519_ops.c
@@ -36,8 +36,11 @@
#define DICE_PROFILE_NAME NULL
-DiceResult DiceGetKeyParam(void* context_not_used, DiceKeyParam* key_param) {
+DiceResult DiceGetKeyParam(void* context_not_used,
+ DicePrincipal principal_not_used,
+ DiceKeyParam* key_param) {
(void)context_not_used;
+ (void)principal_not_used;
key_param->profile_name = DICE_PROFILE_NAME;
key_param->public_key_size = DICE_PUBLIC_KEY_BUFFER_SIZE;
key_param->signature_size = DICE_SIGNATURE_BUFFER_SIZE;
@@ -49,10 +52,12 @@
}
DiceResult DiceKeypairFromSeed(void* context_not_used,
+ DicePrincipal principal_not_used,
const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE],
uint8_t private_key[DICE_PRIVATE_KEY_SIZE]) {
(void)context_not_used;
+ (void)principal_not_used;
ED25519_keypair_from_seed(public_key, private_key, seed);
return kDiceResultOk;
}
diff --git a/src/boringssl_multialg_ops.c b/src/boringssl_multialg_ops.c
index 5a47e42..0553a44 100644
--- a/src/boringssl_multialg_ops.c
+++ b/src/boringssl_multialg_ops.c
@@ -41,9 +41,9 @@
#define DICE_PROFILE_NAME_P256 "opendice.example.p256"
#define DICE_PROFILE_NAME_P384 "opendice.example.p384"
-DiceResult DiceGetKeyParam(void* context, DiceKeyParam* key_param) {
- DiceContext* c = (DiceContext*)context;
- switch (c->key_algorithm) {
+DiceResult DiceGetKeyParam(void* context, DicePrincipal principal,
+ DiceKeyParam* key_param) {
+ switch (DiceGetKeyAlgorithm(context, principal)) {
case kDiceKeyAlgorithmEd25519:
key_param->profile_name = DICE_PROFILE_NAME_ED25519;
key_param->public_key_size = 32;
@@ -75,13 +75,11 @@
return kDiceResultPlatformError;
}
-DiceResult DiceKeypairFromSeed(void* context,
+DiceResult DiceKeypairFromSeed(void* context, DicePrincipal principal,
const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE],
uint8_t private_key[DICE_PRIVATE_KEY_SIZE]) {
- DiceContext* c = (DiceContext*)context;
-
- switch (c->key_algorithm) {
+ switch (DiceGetKeyAlgorithm(context, principal)) {
case kDiceKeyAlgorithmEd25519:
ED25519_keypair_from_seed(public_key, private_key, seed);
return kDiceResultOk;
@@ -102,9 +100,7 @@
DiceResult DiceSign(void* context, const uint8_t* message, size_t message_size,
const uint8_t private_key[DICE_PRIVATE_KEY_SIZE],
uint8_t signature[DICE_SIGNATURE_BUFFER_SIZE]) {
- DiceContext* c = (DiceContext*)context;
-
- switch (c->key_algorithm) {
+ switch (DiceGetKeyAlgorithm(context, kDicePrincipalAuthority)) {
case kDiceKeyAlgorithmEd25519:
if (1 == ED25519_sign(signature, message, message_size, private_key)) {
return kDiceResultOk;
@@ -128,9 +124,7 @@
size_t message_size,
const uint8_t signature[DICE_SIGNATURE_BUFFER_SIZE],
const uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE]) {
- DiceContext* c = (DiceContext*)context;
-
- switch (c->key_algorithm) {
+ switch (DiceGetKeyAlgorithm(context, kDicePrincipalAuthority)) {
case kDiceKeyAlgorithmEd25519:
if (1 == ED25519_verify(message, message_size, signature, public_key)) {
return kDiceResultOk;
diff --git a/src/boringssl_p256_ops.c b/src/boringssl_p256_ops.c
index fcb61b2..7913d30 100644
--- a/src/boringssl_p256_ops.c
+++ b/src/boringssl_p256_ops.c
@@ -37,8 +37,11 @@
#define DICE_PROFILE_NAME "opendice.example.p256"
-DiceResult DiceGetKeyParam(void* context_not_used, DiceKeyParam* key_param) {
+DiceResult DiceGetKeyParam(void* context_not_used,
+ DicePrincipal principal_not_used,
+ DiceKeyParam* key_param) {
(void)context_not_used;
+ (void)principal_not_used;
key_param->profile_name = DICE_PROFILE_NAME;
key_param->public_key_size = DICE_PUBLIC_KEY_BUFFER_SIZE;
key_param->signature_size = DICE_SIGNATURE_BUFFER_SIZE;
@@ -50,10 +53,12 @@
}
DiceResult DiceKeypairFromSeed(void* context_not_used,
+ DicePrincipal principal_not_used,
const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE],
uint8_t private_key[DICE_PRIVATE_KEY_SIZE]) {
(void)context_not_used;
+ (void)principal_not_used;
if (1 == P256KeypairFromSeed(public_key, private_key, seed)) {
return kDiceResultOk;
}
diff --git a/src/boringssl_p384_ops.c b/src/boringssl_p384_ops.c
index 7d326e1..19a52da 100644
--- a/src/boringssl_p384_ops.c
+++ b/src/boringssl_p384_ops.c
@@ -37,8 +37,11 @@
#define DICE_PROFILE_NAME "opendice.example.p384"
-DiceResult DiceGetKeyParam(void* context_not_used, DiceKeyParam* key_param) {
+DiceResult DiceGetKeyParam(void* context_not_used,
+ DicePrincipal principal_not_used,
+ DiceKeyParam* key_param) {
(void)context_not_used;
+ (void)principal_not_used;
key_param->profile_name = DICE_PROFILE_NAME;
key_param->public_key_size = DICE_PUBLIC_KEY_BUFFER_SIZE;
key_param->signature_size = DICE_SIGNATURE_BUFFER_SIZE;
@@ -50,10 +53,12 @@
}
DiceResult DiceKeypairFromSeed(void* context_not_used,
+ DicePrincipal principal_not_used,
const uint8_t seed[DICE_PRIVATE_KEY_SEED_SIZE],
uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE],
uint8_t private_key[DICE_PRIVATE_KEY_SIZE]) {
(void)context_not_used;
+ (void)principal_not_used;
if (1 == P384KeypairFromSeed(public_key, private_key, seed)) {
return kDiceResultOk;
}
diff --git a/src/cbor_cert_op.c b/src/cbor_cert_op.c
index c9a414b..df4e55a 100644
--- a/src/cbor_cert_op.c
+++ b/src/cbor_cert_op.c
@@ -32,8 +32,9 @@
// Max size of the COSE_Sign1 protected attributes.
#define DICE_MAX_PROTECTED_ATTRIBUTES_SIZE 16
-static DiceResult EncodeProtectedAttributes(void* context, size_t buffer_size,
- uint8_t* buffer,
+static DiceResult EncodeProtectedAttributes(void* context,
+ DicePrincipal principal,
+ size_t buffer_size, uint8_t* buffer,
size_t* encoded_size) {
// Constants per RFC 8152.
const int64_t kCoseHeaderAlgLabel = 1;
@@ -43,7 +44,7 @@
CborWriteMap(/*num_elements=*/1, &out);
// Add the algorithm.
DiceKeyParam key_param;
- DiceResult result = DiceGetKeyParam(context, &key_param);
+ DiceResult result = DiceGetKeyParam(context, principal, &key_param);
if (result != kDiceResultOk) {
return result;
}
@@ -112,7 +113,8 @@
CborWriteBstr(payload_size, payload, &out);
}
DiceKeyParam key_param;
- DiceResult result = DiceGetKeyParam(context, &key_param);
+ DiceResult result =
+ DiceGetKeyParam(context, kDicePrincipalAuthority, &key_param);
if (result != kDiceResultOk) {
return result;
}
@@ -138,9 +140,9 @@
// COSE_Sign1 structure.
uint8_t protected_attributes[DICE_MAX_PROTECTED_ATTRIBUTES_SIZE];
size_t protected_attributes_size = 0;
- result = EncodeProtectedAttributes(context, sizeof(protected_attributes),
- protected_attributes,
- &protected_attributes_size);
+ result = EncodeProtectedAttributes(
+ context, kDicePrincipalSubject, sizeof(protected_attributes),
+ protected_attributes, &protected_attributes_size);
if (result != kDiceResultOk) {
return kDiceResultPlatformError;
}
@@ -219,7 +221,8 @@
}
DiceKeyParam key_param;
- DiceResult result = DiceGetKeyParam(context, &key_param);
+ DiceResult result =
+ DiceGetKeyParam(context, kDicePrincipalSubject, &key_param);
if (result != kDiceResultOk) {
return result;
}
@@ -320,21 +323,29 @@
// Derive keys and IDs from the private key seeds.
uint8_t subject_public_key[DICE_PUBLIC_KEY_BUFFER_SIZE];
- result = DiceKeypairFromSeed(context, subject_private_key_seed,
- subject_public_key, subject_private_key);
+ result = DiceKeypairFromSeed(context, kDicePrincipalSubject,
+ subject_private_key_seed, subject_public_key,
+ subject_private_key);
if (result != kDiceResultOk) {
goto out;
}
- DiceKeyParam key_param;
- result = DiceGetKeyParam(context, &key_param);
+ DiceKeyParam subject_key_param;
+ DiceKeyParam authority_key_param;
+ result = DiceGetKeyParam(context, kDicePrincipalSubject, &subject_key_param);
+ if (result != kDiceResultOk) {
+ goto out;
+ }
+ result =
+ DiceGetKeyParam(context, kDicePrincipalAuthority, &authority_key_param);
if (result != kDiceResultOk) {
goto out;
}
uint8_t subject_id[DICE_ID_SIZE];
- result = DiceDeriveCdiCertificateId(context, subject_public_key,
- key_param.public_key_size, subject_id);
+ result =
+ DiceDeriveCdiCertificateId(context, subject_public_key,
+ subject_key_param.public_key_size, subject_id);
if (result != kDiceResultOk) {
goto out;
}
@@ -344,15 +355,17 @@
subject_id_hex[sizeof(subject_id_hex) - 1] = '\0';
uint8_t authority_public_key[DICE_PUBLIC_KEY_BUFFER_SIZE];
- result = DiceKeypairFromSeed(context, authority_private_key_seed,
- authority_public_key, authority_private_key);
+ result = DiceKeypairFromSeed(context, kDicePrincipalAuthority,
+ authority_private_key_seed, authority_public_key,
+ authority_private_key);
if (result != kDiceResultOk) {
goto out;
}
uint8_t authority_id[DICE_ID_SIZE];
result = DiceDeriveCdiCertificateId(context, authority_public_key,
- key_param.public_key_size, authority_id);
+ authority_key_param.public_key_size,
+ authority_id);
if (result != kDiceResultOk) {
goto out;
}
@@ -365,8 +378,8 @@
uint8_t encoded_public_key[DICE_MAX_PUBLIC_KEY_SIZE];
size_t encoded_public_key_size = 0;
result = DiceCoseEncodePublicKey(
- context, subject_public_key, sizeof(encoded_public_key),
- encoded_public_key, &encoded_public_key_size);
+ context, kDicePrincipalSubject, subject_public_key,
+ sizeof(encoded_public_key), encoded_public_key, &encoded_public_key_size);
if (result != kDiceResultOk) {
result = kDiceResultPlatformError;
goto out;
@@ -376,9 +389,9 @@
// COSE_Sign1 structure.
uint8_t protected_attributes[DICE_MAX_PROTECTED_ATTRIBUTES_SIZE];
size_t protected_attributes_size = 0;
- result = EncodeProtectedAttributes(context, sizeof(protected_attributes),
- protected_attributes,
- &protected_attributes_size);
+ result = EncodeProtectedAttributes(
+ context, kDicePrincipalSubject, sizeof(protected_attributes),
+ protected_attributes, &protected_attributes_size);
if (result != kDiceResultOk) {
result = kDiceResultPlatformError;
goto out;
@@ -454,10 +467,11 @@
}
DiceResult DiceCoseEncodePublicKey(
- void* context, const uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE],
- size_t buffer_size, uint8_t* buffer, size_t* encoded_size) {
+ void* context, DicePrincipal principal,
+ const uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE], size_t buffer_size,
+ uint8_t* buffer, size_t* encoded_size) {
DiceKeyParam key_param;
- DiceResult result = DiceGetKeyParam(context, &key_param);
+ DiceResult result = DiceGetKeyParam(context, principal, &key_param);
if (result != kDiceResultOk) {
return result;
}
diff --git a/src/cbor_cert_op_test.cc b/src/cbor_cert_op_test.cc
index a692305..b8f1229 100644
--- a/src/cbor_cert_op_test.cc
+++ b/src/cbor_cert_op_test.cc
@@ -252,14 +252,15 @@
uint8_t private_key[DICE_PRIVATE_KEY_SIZE];
uint8_t public_key[DICE_PUBLIC_KEY_BUFFER_SIZE];
- result = DiceKeypairFromSeed(NULL, private_key_seed, public_key, private_key);
+ result = DiceKeypairFromSeed(NULL, kDicePrincipalAuthority, private_key_seed,
+ public_key, private_key);
ASSERT_EQ(kDiceResultOk, result);
uint8_t encoded_public_key[DICE_PUBLIC_KEY_BUFFER_SIZE + 32];
size_t encoded_public_key_size = 0;
- result =
- DiceCoseEncodePublicKey(NULL, public_key, sizeof(encoded_public_key),
- encoded_public_key, &encoded_public_key_size);
+ result = DiceCoseEncodePublicKey(
+ NULL, kDicePrincipalAuthority, public_key, sizeof(encoded_public_key),
+ encoded_public_key, &encoded_public_key_size);
ASSERT_EQ(kDiceResultOk, result);
uint8_t payload[500];
diff --git a/src/cbor_multialg_op_test.cc b/src/cbor_multialg_op_test.cc
index 8bb1eef..28886bd 100644
--- a/src/cbor_multialg_op_test.cc
+++ b/src/cbor_multialg_op_test.cc
@@ -36,7 +36,8 @@
using dice::test::KeyType_P384;
TEST(DiceOpsTest, Ed25519KnownAnswerZeroInput) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmEd25519};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmEd25519,
+ .subject_algorithm = kDiceKeyAlgorithmEd25519};
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
DiceInputValues input_values = {};
@@ -62,7 +63,8 @@
}
TEST(DiceOpsTest, P256KnownAnswerZeroInput) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP256};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP256,
+ .subject_algorithm = kDiceKeyAlgorithmP256};
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
DiceInputValues input_values = {};
@@ -92,7 +94,8 @@
}
TEST(DiceOpsTest, P384KnownAnswerZeroInput) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP384};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP384,
+ .subject_algorithm = kDiceKeyAlgorithmP384};
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
DiceInputValues input_values = {};
@@ -122,7 +125,8 @@
}
TEST(DiceOpsTest, Ed25519KnownAnswerHashOnlyInput) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmEd25519};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmEd25519,
+ .subject_algorithm = kDiceKeyAlgorithmEd25519};
DiceStateForTest current_state = {};
DeriveFakeInputValue("cdi_attest", DICE_CDI_SIZE, current_state.cdi_attest);
DeriveFakeInputValue("cdi_seal", DICE_CDI_SIZE, current_state.cdi_seal);
@@ -159,7 +163,8 @@
}
TEST(DiceOpsTest, P256KnownAnswerHashOnlyInput) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP256};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP256,
+ .subject_algorithm = kDiceKeyAlgorithmP256};
DiceStateForTest current_state = {};
DeriveFakeInputValue("cdi_attest", DICE_CDI_SIZE, current_state.cdi_attest);
DeriveFakeInputValue("cdi_seal", DICE_CDI_SIZE, current_state.cdi_seal);
@@ -197,7 +202,8 @@
}
TEST(DiceOpsTest, P384KnownAnswerHashOnlyInput) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP384};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP384,
+ .subject_algorithm = kDiceKeyAlgorithmP384};
DiceStateForTest current_state = {};
DeriveFakeInputValue("cdi_attest", DICE_CDI_SIZE, current_state.cdi_attest);
DeriveFakeInputValue("cdi_seal", DICE_CDI_SIZE, current_state.cdi_seal);
@@ -235,7 +241,8 @@
}
TEST(DiceOpsTest, Ed25519KnownAnswerDescriptorInput) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmEd25519};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmEd25519,
+ .subject_algorithm = kDiceKeyAlgorithmEd25519};
DiceStateForTest current_state = {};
DeriveFakeInputValue("cdi_attest", DICE_CDI_SIZE, current_state.cdi_attest);
DeriveFakeInputValue("cdi_seal", DICE_CDI_SIZE, current_state.cdi_seal);
@@ -285,7 +292,8 @@
}
TEST(DiceOpsTest, P256KnownAnswerDescriptorInput) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP256};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP256,
+ .subject_algorithm = kDiceKeyAlgorithmP256};
DiceStateForTest current_state = {};
DeriveFakeInputValue("cdi_attest", DICE_CDI_SIZE, current_state.cdi_attest);
DeriveFakeInputValue("cdi_seal", DICE_CDI_SIZE, current_state.cdi_seal);
@@ -336,7 +344,8 @@
}
TEST(DiceOpsTest, P384KnownAnswerDescriptorInput) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP384};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP384,
+ .subject_algorithm = kDiceKeyAlgorithmP384};
DiceStateForTest current_state = {};
DeriveFakeInputValue("cdi_attest", DICE_CDI_SIZE, current_state.cdi_attest);
DeriveFakeInputValue("cdi_seal", DICE_CDI_SIZE, current_state.cdi_seal);
@@ -387,7 +396,8 @@
}
TEST(DiceOpsTest, Ed25519NonZeroMode) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmEd25519};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmEd25519,
+ .subject_algorithm = kDiceKeyAlgorithmEd25519};
constexpr size_t kModeOffsetInCert = 315;
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
@@ -402,7 +412,8 @@
}
TEST(DiceOpsTest, P256NonZeroMode) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP256};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP256,
+ .subject_algorithm = kDiceKeyAlgorithmP256};
constexpr size_t kModeOffsetInCert = 315;
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
@@ -417,7 +428,8 @@
}
TEST(DiceOpsTest, P384NonZeroMode) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP384};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP384,
+ .subject_algorithm = kDiceKeyAlgorithmP384};
constexpr size_t kModeOffsetInCert = 316;
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
@@ -432,7 +444,8 @@
}
TEST(DiceOpsTest, Ed25519LargeInputs) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmEd25519};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmEd25519,
+ .subject_algorithm = kDiceKeyAlgorithmEd25519};
constexpr uint8_t kBigBuffer[1024 * 1024] = {};
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
@@ -447,7 +460,8 @@
}
TEST(DiceOpsTest, P256LargeInputs) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP256};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP256,
+ .subject_algorithm = kDiceKeyAlgorithmP256};
constexpr uint8_t kBigBuffer[1024 * 1024] = {};
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
@@ -462,7 +476,8 @@
}
TEST(DiceOpsTest, P384LargeInputs) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP384};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP384,
+ .subject_algorithm = kDiceKeyAlgorithmP384};
constexpr uint8_t kBigBuffer[1024 * 1024] = {};
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
@@ -477,7 +492,8 @@
}
TEST(DiceOpsTest, Ed25519InvalidConfigType) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmEd25519};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmEd25519,
+ .subject_algorithm = kDiceKeyAlgorithmEd25519};
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
DiceInputValues input_values = {};
@@ -490,7 +506,8 @@
}
TEST(DiceOpsTest, P256InvalidConfigType) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP256};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP256,
+ .subject_algorithm = kDiceKeyAlgorithmP256};
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
DiceInputValues input_values = {};
@@ -503,7 +520,8 @@
}
TEST(DiceOpsTest, P384InvalidConfigType) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP384};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP384,
+ .subject_algorithm = kDiceKeyAlgorithmP384};
DiceStateForTest current_state = {};
DiceStateForTest next_state = {};
DiceInputValues input_values = {};
@@ -516,7 +534,8 @@
}
TEST(DiceOpsTest, Ed25519PartialCertChain) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmEd25519};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmEd25519,
+ .subject_algorithm = kDiceKeyAlgorithmEd25519};
constexpr size_t kNumLayers = 7;
DiceStateForTest states[kNumLayers + 1] = {};
DiceInputValues inputs[kNumLayers] = {};
@@ -547,7 +566,8 @@
}
TEST(DiceOpsTest, P256PartialCertChain) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP256};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP256,
+ .subject_algorithm = kDiceKeyAlgorithmP256};
constexpr size_t kNumLayers = 7;
DiceStateForTest states[kNumLayers + 1] = {};
DiceInputValues inputs[kNumLayers] = {};
@@ -578,7 +598,8 @@
}
TEST(DiceOpsTest, P384PartialCertChain) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP384};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP384,
+ .subject_algorithm = kDiceKeyAlgorithmP384};
constexpr size_t kNumLayers = 7;
DiceStateForTest states[kNumLayers + 1] = {};
DiceInputValues inputs[kNumLayers] = {};
@@ -609,7 +630,8 @@
}
TEST(DiceOpsTest, Ed25519FullCertChain) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmEd25519};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmEd25519,
+ .subject_algorithm = kDiceKeyAlgorithmEd25519};
constexpr size_t kNumLayers = 7;
DiceStateForTest states[kNumLayers + 1] = {};
DiceInputValues inputs[kNumLayers] = {};
@@ -645,7 +667,8 @@
}
TEST(DiceOpsTest, P256FullCertChain) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP256};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP256,
+ .subject_algorithm = kDiceKeyAlgorithmP256};
constexpr size_t kNumLayers = 7;
DiceStateForTest states[kNumLayers + 1] = {};
DiceInputValues inputs[kNumLayers] = {};
@@ -681,7 +704,8 @@
}
TEST(DiceOpsTest, P384FullCertChain) {
- DiceContext context{.key_algorithm = kDiceKeyAlgorithmP384};
+ DiceContext context{.authority_algorithm = kDiceKeyAlgorithmP384,
+ .subject_algorithm = kDiceKeyAlgorithmP384};
constexpr size_t kNumLayers = 7;
DiceStateForTest states[kNumLayers + 1] = {};
DiceInputValues inputs[kNumLayers] = {};
diff --git a/src/template_cbor_cert_op.c b/src/template_cbor_cert_op.c
index a840ec7..0633047 100644
--- a/src/template_cbor_cert_op.c
+++ b/src/template_cbor_cert_op.c
@@ -165,7 +165,7 @@
DiceResult result = kDiceResultOk;
DiceKeyParam key_param;
- result = DiceGetKeyParam(context, &key_param);
+ result = DiceGetKeyParam(context, kDicePrincipalSubject, &key_param);
if (result != kDiceResultOk) {
goto out;
}
@@ -189,8 +189,9 @@
// Derive keys and IDs from the private key seeds.
uint8_t subject_public_key[DICE_PUBLIC_KEY_BUFFER_SIZE];
- result = DiceKeypairFromSeed(context, subject_private_key_seed,
- subject_public_key, subject_private_key);
+ result = DiceKeypairFromSeed(context, kDicePrincipalSubject,
+ subject_private_key_seed, subject_public_key,
+ subject_private_key);
if (result != kDiceResultOk) {
goto out;
}
@@ -206,8 +207,9 @@
sizeof(subject_id_hex));
uint8_t authority_public_key[DICE_PUBLIC_KEY_BUFFER_SIZE];
- result = DiceKeypairFromSeed(context, authority_private_key_seed,
- authority_public_key, authority_private_key);
+ result = DiceKeypairFromSeed(context, kDicePrincipalAuthority,
+ authority_private_key_seed, authority_public_key,
+ authority_private_key);
if (result != kDiceResultOk) {
goto out;
}
diff --git a/src/template_cert_op.c b/src/template_cert_op.c
index 32a6ef7..cc9f553 100644
--- a/src/template_cert_op.c
+++ b/src/template_cert_op.c
@@ -175,7 +175,7 @@
DiceResult result = kDiceResultOk;
DiceKeyParam key_param;
- result = DiceGetKeyParam(context, &key_param);
+ result = DiceGetKeyParam(context, kDicePrincipalSubject, &key_param);
if (result != kDiceResultOk) {
goto out;
}
