Rename some private keys to private key seeds
The value derived by the profile is not necessarily used directly as the
private key but as a seed from which the private key is
deterministically generated. Mark this distinction by naming it as a
private key seed rather than key.
Change-Id: I09094c6177d999e5a95e1d825ddb3f56d1bbe24f
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/40741
Reviewed-by: Darren Krahn <dkrahn@google.com>
Commit-Queue: Andrew Scull <ascull@google.com>
Pigweed-Auto-Submit: Andrew Scull <ascull@google.com>
diff --git a/include/dice/boringssl_ops.h b/include/dice/boringssl_ops.h
index c188f01..51d58cd 100644
--- a/include/dice/boringssl_ops.h
+++ b/include/dice/boringssl_ops.h
@@ -35,8 +35,8 @@
DiceResult DiceBsslGenerateCertificateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size);
diff --git a/include/dice/cbor_cert_op.h b/include/dice/cbor_cert_op.h
index c87dac0..bc5b28c 100644
--- a/include/dice/cbor_cert_op.h
+++ b/include/dice/cbor_cert_op.h
@@ -26,8 +26,8 @@
// ED25519-SHA512 signature scheme.
DiceResult DiceGenerateCborCertificateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size);
diff --git a/include/dice/dice.h b/include/dice/dice.h
index 3565571..ede56d2 100644
--- a/include/dice/dice.h
+++ b/include/dice/dice.h
@@ -26,7 +26,7 @@
#define DICE_HASH_SIZE 64
#define DICE_HIDDEN_SIZE 64
#define DICE_INLINE_CONFIG_SIZE 64
-#define DICE_PRIVATE_KEY_SIZE 32
+#define DICE_PRIVATE_KEY_SEED_SIZE 32
typedef enum {
kDiceResultOk,
@@ -115,14 +115,14 @@
const uint8_t* info, size_t info_size, uint8_t* output);
// Generates an X.509 certificate, or an alternative certificate format, from
- // the given |subject_private_key| and |input_values|, and signed by
- // |authority_private_key|. The subject private key is supplied here so the
- // implementation can choose between asymmetric mechanisms, for example ECDSA
- // vs Ed25519.
+ // the given |subject_private_key_seed| and |input_values|, and signed by
+ // |authority_private_key_seed|. The subject private key seed is supplied
+ // here so the implementation can choose between asymmetric mechanisms, for
+ // example ECDSA vs Ed25519.
DiceResult (*generate_certificate)(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size);
@@ -133,12 +133,12 @@
void (*clear_memory)(const DiceOps* ops, size_t size, void* address);
};
-// Derives a |cdi_private_key| from a |cdi_attest| value. On success populates
-// |cdi_private_key| and returns kDiceResultOk. Note: of the provided |ops|,
-// only 'kdf' is called.
-DiceResult DiceDeriveCdiPrivateKey(
+// Derives a |cdi_private_key_seed| from a |cdi_attest| value. On success
+// populates |cdi_private_key_seed| and returns kDiceResultOk. Note: of the
+// provided |ops|, only 'kdf' is called.
+DiceResult DiceDeriveCdiPrivateKeySeed(
const DiceOps* ops, const uint8_t cdi_attest[DICE_CDI_SIZE],
- uint8_t cdi_private_key[DICE_PRIVATE_KEY_SIZE]);
+ uint8_t cdi_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE]);
// Derives an |id| from a |cdi_public_key| value. Because public keys can vary
// in length depending on the algorithm, the |cdi_public_key_size| in bytes must
diff --git a/include/dice/mbedtls_ops.h b/include/dice/mbedtls_ops.h
index 783cd3e..3b71ab6 100644
--- a/include/dice/mbedtls_ops.h
+++ b/include/dice/mbedtls_ops.h
@@ -36,8 +36,8 @@
DiceResult DiceMbedtlsGenerateCertificateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size);
diff --git a/include/dice/template_cbor_cert_op.h b/include/dice/template_cbor_cert_op.h
index 0797024..c756701 100644
--- a/include/dice/template_cbor_cert_op.h
+++ b/include/dice/template_cbor_cert_op.h
@@ -40,8 +40,8 @@
// * config_type must be kDiceConfigTypeInline
DiceResult DiceGenerateCborCertificateFromTemplateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size);
diff --git a/include/dice/template_cert_op.h b/include/dice/template_cert_op.h
index 53a2930..da668f1 100644
--- a/include/dice/template_cert_op.h
+++ b/include/dice/template_cert_op.h
@@ -40,8 +40,8 @@
// * config_type must be kDiceConfigTypeInline
DiceResult DiceGenerateCertificateFromTemplateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size);
diff --git a/src/boringssl_cert_op.c b/src/boringssl_cert_op.c
index 4d75b22..cfac488 100644
--- a/src/boringssl_cert_op.c
+++ b/src/boringssl_cert_op.c
@@ -505,8 +505,8 @@
DiceResult DiceBsslGenerateCertificateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size) {
DiceResult result = kDiceResultOk;
@@ -521,14 +521,16 @@
result = kDiceResultPlatformError;
goto out;
}
- authority_key = EVP_PKEY_new_raw_private_key(
- EVP_PKEY_ED25519, NULL, authority_private_key, DICE_PRIVATE_KEY_SIZE);
+ authority_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL,
+ authority_private_key_seed,
+ DICE_PRIVATE_KEY_SEED_SIZE);
if (!authority_key) {
result = kDiceResultPlatformError;
goto out;
}
- subject_key = EVP_PKEY_new_raw_private_key(
- EVP_PKEY_ED25519, NULL, subject_private_key, DICE_PRIVATE_KEY_SIZE);
+ subject_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, NULL,
+ subject_private_key_seed,
+ DICE_PRIVATE_KEY_SEED_SIZE);
if (!subject_key) {
result = kDiceResultPlatformError;
goto out;
diff --git a/src/cbor_cert_op.c b/src/cbor_cert_op.c
index ab811e0..ac20f68 100644
--- a/src/cbor_cert_op.c
+++ b/src/cbor_cert_op.c
@@ -264,8 +264,8 @@
DiceResult DiceGenerateCborCertificateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size) {
DiceResult result = kDiceResultOk;
@@ -285,11 +285,10 @@
uint8_t payload[kMaxCertificateSize];
uint8_t protected_attributes[kMaxProtectedAttributesSize];
- // Derive public keys and IDs from the private keys. Note: the Boringssl
- // implementation refers to the raw private key as a seed.
+ // Derive keys and IDs from the private key seeds.
uint8_t subject_public_key[32];
ED25519_keypair_from_seed(subject_public_key, subject_bssl_private_key,
- subject_private_key);
+ subject_private_key_seed);
uint8_t subject_id[20];
result = DiceDeriveCdiCertificateId(ops, subject_public_key, 32, subject_id);
@@ -303,7 +302,7 @@
uint8_t authority_public_key[32];
ED25519_keypair_from_seed(authority_public_key, authority_bssl_private_key,
- authority_private_key);
+ authority_private_key_seed);
uint8_t authority_id[20];
result =
diff --git a/src/dice.c b/src/dice.c
index 2c7d8a6..23548e9 100644
--- a/src/dice.c
+++ b/src/dice.c
@@ -34,14 +34,14 @@
0x1D, 0xB9, 0x52, 0x0B, 0xA5, 0x1C, 0x7B, 0x29, 0xEA};
static const size_t kIdSaltSize = 64;
-DiceResult DiceDeriveCdiPrivateKey(
+DiceResult DiceDeriveCdiPrivateKeySeed(
const DiceOps* ops, const uint8_t cdi_attest[DICE_CDI_SIZE],
- uint8_t cdi_private_key[DICE_PRIVATE_KEY_SIZE]) {
+ uint8_t cdi_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE]) {
// Use the CDI as input key material, with fixed salt and info.
- return ops->kdf(ops, /*length=*/DICE_PRIVATE_KEY_SIZE, cdi_attest,
+ return ops->kdf(ops, /*length=*/DICE_PRIVATE_KEY_SEED_SIZE, cdi_attest,
/*ikm_size=*/DICE_CDI_SIZE, kAsymSalt, kAsymSaltSize,
/*info=*/(const uint8_t*)"Key Pair", /*info_size=*/8,
- cdi_private_key);
+ cdi_private_key_seed);
}
DiceResult DiceDeriveCdiCertificateId(const DiceOps* ops,
@@ -93,8 +93,8 @@
kHiddenSize];
uint8_t attest_input_hash[DICE_HASH_SIZE];
uint8_t seal_input_hash[DICE_HASH_SIZE];
- uint8_t current_cdi_private_key[DICE_PRIVATE_KEY_SIZE];
- uint8_t next_cdi_private_key[DICE_PRIVATE_KEY_SIZE];
+ uint8_t current_cdi_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE];
+ uint8_t next_cdi_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE];
// Assemble the input buffer.
memcpy(&input_buffer[kCodeOffset], input_values->code_hash, kCodeSize);
@@ -149,22 +149,23 @@
goto out;
}
- // Derive asymmetric private keys from the attestation CDI values.
- result =
- DiceDeriveCdiPrivateKey(ops, current_cdi_attest, current_cdi_private_key);
+ // Derive asymmetric private key seeds from the attestation CDI values.
+ result = DiceDeriveCdiPrivateKeySeed(ops, current_cdi_attest,
+ current_cdi_private_key_seed);
if (result != kDiceResultOk) {
goto out;
}
- result = DiceDeriveCdiPrivateKey(ops, next_cdi_attest, next_cdi_private_key);
+ result = DiceDeriveCdiPrivateKeySeed(ops, next_cdi_attest,
+ next_cdi_private_key_seed);
if (result != kDiceResultOk) {
goto out;
}
- // Generate a certificate for |next_cdi_private_key| with
- // |current_cdi_private_key| as the authority.
+ // Generate a certificate for |next_cdi_private_key_seed| with
+ // |current_cdi_private_key_seed| as the authority.
result = ops->generate_certificate(
- ops, next_cdi_private_key, current_cdi_private_key, input_values,
- next_cdi_certificate_buffer_size, next_cdi_certificate,
+ ops, next_cdi_private_key_seed, current_cdi_private_key_seed,
+ input_values, next_cdi_certificate_buffer_size, next_cdi_certificate,
next_cdi_certificate_actual_size);
if (result != kDiceResultOk) {
goto out;
@@ -174,8 +175,9 @@
ops->clear_memory(ops, sizeof(input_buffer), input_buffer);
ops->clear_memory(ops, sizeof(attest_input_hash), attest_input_hash);
ops->clear_memory(ops, sizeof(seal_input_hash), seal_input_hash);
- ops->clear_memory(ops, sizeof(current_cdi_private_key),
- current_cdi_private_key);
- ops->clear_memory(ops, sizeof(next_cdi_private_key), next_cdi_private_key);
+ ops->clear_memory(ops, sizeof(current_cdi_private_key_seed),
+ current_cdi_private_key_seed);
+ ops->clear_memory(ops, sizeof(next_cdi_private_key_seed),
+ next_cdi_private_key_seed);
return result;
}
diff --git a/src/dice_standalone_main.c b/src/dice_standalone_main.c
index 5d68b9e..caa4814 100644
--- a/src/dice_standalone_main.c
+++ b/src/dice_standalone_main.c
@@ -43,13 +43,13 @@
DiceResult FakeCertificate(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size) {
(void)ops;
- (void)subject_private_key;
- (void)authority_private_key;
+ (void)subject_private_key_seed;
+ (void)authority_private_key_seed;
(void)input_values;
(void)certificate_buffer_size;
(void)certificate;
diff --git a/src/dice_test.cc b/src/dice_test.cc
index e0e7965..ff4edf0 100644
--- a/src/dice_test.cc
+++ b/src/dice_test.cc
@@ -34,8 +34,8 @@
DiceResult FakeGenerateCertificate(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size);
} // extern "C"
@@ -66,13 +66,13 @@
// DiceOps calls to |generate_certificate| forward here.
DiceResult GenerateCertificate(
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size) {
const uint8_t kFakeCert[kFakeCertSize] = {};
- (void)subject_private_key;
- (void)authority_private_key;
+ (void)subject_private_key_seed;
+ (void)authority_private_key_seed;
(void)input_values;
generate_certificate_count_++;
if (certificate_buffer_size < kFakeCertSize) {
@@ -118,14 +118,14 @@
DiceResult FakeGenerateCertificate(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size) {
return reinterpret_cast<FakeDiceOps*>(ops->context)
- ->GenerateCertificate(subject_private_key, authority_private_key,
- input_values, certificate_buffer_size, certificate,
- certificate_actual_size);
+ ->GenerateCertificate(
+ subject_private_key_seed, authority_private_key_seed, input_values,
+ certificate_buffer_size, certificate, certificate_actual_size);
}
struct DiceStateForTest {
diff --git a/src/mbedtls_ops.c b/src/mbedtls_ops.c
index 0d2a3c2..a8e3151 100644
--- a/src/mbedtls_ops.c
+++ b/src/mbedtls_ops.c
@@ -36,21 +36,22 @@
static const size_t kMaxExtensionSize = 2048;
static const size_t kMaxKeyIdSize = 40;
-static DiceResult SetupKeyPair(const uint8_t private_key[DICE_PRIVATE_KEY_SIZE],
- mbedtls_pk_context* context) {
+static DiceResult SetupKeyPair(
+ const uint8_t private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ mbedtls_pk_context* context) {
if (0 !=
mbedtls_pk_setup(context, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY))) {
return kDiceResultPlatformError;
}
- // Don't use the |private_key| directly, it may not be suitable. Rather use it
- // to seed a PRNG which is then in turn used to generate the private key. This
- // implementation uses HMAC_DRBG in a loop with no reduction, like RFC6979.
+ // Use the |private_key_seed| directly to seed a PRNG which is then in turn
+ // used to generate the private key. This implementation uses HMAC_DRBG in a
+ // loop with no reduction, like RFC6979.
DiceResult result = kDiceResultOk;
mbedtls_hmac_drbg_context rng_context;
mbedtls_hmac_drbg_init(&rng_context);
if (0 != mbedtls_hmac_drbg_seed_buf(
&rng_context, mbedtls_md_info_from_type(MBEDTLS_MD_SHA512),
- private_key, DICE_PRIVATE_KEY_SIZE)) {
+ private_key_seed, DICE_PRIVATE_KEY_SEED_SIZE)) {
result = kDiceResultPlatformError;
goto out;
}
@@ -293,8 +294,8 @@
DiceResult DiceMbedtlsGenerateCertificateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size) {
// 1.3.6.1.4.1.11129.2.1.24
@@ -324,7 +325,7 @@
uint8_t tmp_buffer[kMaxCertificateSize];
// Derive key pairs and IDs.
- result = SetupKeyPair(authority_private_key, &authority_key_context);
+ result = SetupKeyPair(authority_private_key_seed, &authority_key_context);
if (result != kDiceResultOk) {
goto out;
}
@@ -344,7 +345,7 @@
if (result != kDiceResultOk) {
goto out;
}
- result = SetupKeyPair(subject_private_key, &subject_key_context);
+ result = SetupKeyPair(subject_private_key_seed, &subject_key_context);
if (result != kDiceResultOk) {
goto out;
}
diff --git a/src/template_cbor_cert_op.c b/src/template_cbor_cert_op.c
index cb66aae..7fe9547 100644
--- a/src/template_cbor_cert_op.c
+++ b/src/template_cbor_cert_op.c
@@ -135,8 +135,8 @@
DiceResult DiceGenerateCborCertificateFromTemplateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size) {
DiceResult result = kDiceResultOk;
@@ -161,11 +161,10 @@
// These are 'variably modified' types so need to be declared upfront.
uint8_t tbs[kTbsSize];
- // Derive public keys and IDs from the private keys. Note: the Boringssl
- // implementation refers to the raw private key as a seed.
+ // Derive keys and IDs from the private key seeds.
uint8_t subject_public_key[32];
ED25519_keypair_from_seed(subject_public_key, subject_bssl_private_key,
- subject_private_key);
+ subject_private_key_seed);
uint8_t subject_id[20];
result = DiceDeriveCdiCertificateId(ops, subject_public_key, 32, subject_id);
@@ -178,7 +177,7 @@
uint8_t authority_public_key[32];
ED25519_keypair_from_seed(authority_public_key, authority_bssl_private_key,
- authority_private_key);
+ authority_private_key_seed);
uint8_t authority_id[20];
result =
diff --git a/src/template_cert_op.c b/src/template_cert_op.c
index 5ea0cdd..df05578 100644
--- a/src/template_cert_op.c
+++ b/src/template_cert_op.c
@@ -150,8 +150,8 @@
DiceResult DiceGenerateCertificateFromTemplateOp(
const DiceOps* ops,
- const uint8_t subject_private_key[DICE_PRIVATE_KEY_SIZE],
- const uint8_t authority_private_key[DICE_PRIVATE_KEY_SIZE],
+ const uint8_t subject_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t authority_private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
const DiceInputValues* input_values, size_t certificate_buffer_size,
uint8_t* certificate, size_t* certificate_actual_size) {
DiceResult result = kDiceResultOk;
@@ -173,11 +173,10 @@
uint8_t subject_bssl_private_key[64];
uint8_t authority_bssl_private_key[64];
- // Derive public keys and IDs from the private keys. Note: the Boringssl
- // implementation refers to the raw private key as a seed.
+ // Derive keys and IDs from the private key seeds.
uint8_t subject_public_key[32];
ED25519_keypair_from_seed(subject_public_key, subject_bssl_private_key,
- subject_private_key);
+ subject_private_key_seed);
uint8_t subject_id[20];
result = DiceDeriveCdiCertificateId(ops, subject_public_key, 32, subject_id);
@@ -190,7 +189,7 @@
uint8_t authority_public_key[32];
ED25519_keypair_from_seed(authority_public_key, authority_bssl_private_key,
- authority_private_key);
+ authority_private_key_seed);
uint8_t authority_id[20];
result =
diff --git a/src/test_utils.cc b/src/test_utils.cc
index 373c0fd..07e5f19 100644
--- a/src/test_utils.cc
+++ b/src/test_utils.cc
@@ -159,13 +159,14 @@
HMAC_CTX ctx_;
};
-bssl::UniquePtr<EVP_PKEY> KeyFromRawKey(const uint8_t raw_key[32],
- dice::test::KeyType key_type,
- uint8_t raw_public_key[33],
- size_t* raw_public_key_size) {
+bssl::UniquePtr<EVP_PKEY> KeyFromRawKey(
+ const uint8_t raw_key[DICE_PRIVATE_KEY_SEED_SIZE],
+ dice::test::KeyType key_type, uint8_t raw_public_key[33],
+ size_t* raw_public_key_size) {
if (key_type == dice::test::KeyType_Ed25519) {
- bssl::UniquePtr<EVP_PKEY> key(EVP_PKEY_new_raw_private_key(
- EVP_PKEY_ED25519, /*unused=*/nullptr, raw_key, 32));
+ bssl::UniquePtr<EVP_PKEY> key(
+ EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, /*unused=*/nullptr,
+ raw_key, DICE_PRIVATE_KEY_SEED_SIZE));
*raw_public_key_size = 32;
EVP_PKEY_get_raw_public_key(key.get(), raw_public_key, raw_public_key_size);
return key;
@@ -296,10 +297,10 @@
return (1 == X509_verify_cert(x509_store_ctx.get()));
}
-void CreateCborUdsCertificate(const uint8_t private_key[32],
- const uint8_t id[20],
- uint8_t certificate[dice::test::kTestCertSize],
- size_t* certificate_size) {
+void CreateCborUdsCertificate(
+ const uint8_t private_key_seed[DICE_PRIVATE_KEY_SEED_SIZE],
+ const uint8_t id[20], uint8_t certificate[dice::test::kTestCertSize],
+ size_t* certificate_size) {
const uint8_t kProtectedAttributesCbor[3] = {
0xa1 /* map(1) */, 0x01 /* alg(1) */, 0x27 /* EdDSA(-8) */};
const int64_t kCwtIssuerLabel = 1;
@@ -311,7 +312,7 @@
// Public key encoded as a COSE_Key.
uint8_t public_key[32];
uint8_t bssl_private_key[64];
- ED25519_keypair_from_seed(public_key, bssl_private_key, private_key);
+ ED25519_keypair_from_seed(public_key, bssl_private_key, private_key_seed);
cn_cbor_errback error;
ScopedCbor public_key_cbor(cn_cbor_map_create(&error));
// kty = okp
@@ -618,8 +619,8 @@
CertificateType cert_type, KeyType key_type,
uint8_t certificate[kTestCertSize],
size_t* certificate_size) {
- uint8_t raw_key[32];
- DiceDeriveCdiPrivateKey(&ops, uds, raw_key);
+ uint8_t raw_key[DICE_PRIVATE_KEY_SEED_SIZE];
+ DiceDeriveCdiPrivateKeySeed(&ops, uds, raw_key);
uint8_t raw_public_key[33];
size_t raw_public_key_size = 0;