blob: 7e403b9a6d0f5190b6df6c863eea4799060f6ada [file] [log] [blame]
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
// the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.
#ifndef DICE_TEST_UTILS_H_
#define DICE_TEST_UTILS_H_
#include <stddef.h>
#include <stdint.h>
#include "dice/dice.h"
namespace dice {
namespace test {
constexpr size_t kTestCertSize = 2048;
enum CertificateType {
CertificateType_X509,
CertificateType_Cbor,
};
enum KeyType {
KeyType_Ed25519,
KeyType_P256,
KeyType_P384,
};
struct DiceStateForTest {
uint8_t cdi_attest[DICE_CDI_SIZE];
uint8_t cdi_seal[DICE_CDI_SIZE];
uint8_t certificate[kTestCertSize];
size_t certificate_size;
};
// Dumps |state| to a set of files in the current directory with the given
// |suffix|.
void DumpState(CertificateType cert_type, KeyType key_type, const char* suffix,
const DiceStateForTest& state);
// Deterministically derives |length| bytes from |seed|.
void DeriveFakeInputValue(const char* seed, size_t length, uint8_t* output);
// Generates a self-signed X.509 UDS certificate for the given |uds| value. The
// signature scheme is ED25519-SHA512.
void CreateFakeUdsCertificate(void* context, const uint8_t uds[32],
CertificateType cert_type, KeyType key_type,
uint8_t certificate[kTestCertSize],
size_t* certificate_size);
// Verify that a single CDI certificate is properly signed with the given key
// and contains the expected payload.
bool VerifyCoseSign1(const uint8_t* certificate, size_t certificate_size,
const uint8_t* external_aad, size_t external_aad_size,
const uint8_t* encoded_public_key,
size_t encoded_public_key_size,
const uint8_t* expected_payload,
size_t expected_payload_size);
// Verifies a chain of CDI certificates given by |states| against
// |root_certificate|. If |is_partial_chain| is set, then root_certificate does
// not need to be self signed. For X.509 certificate chains, only the standard
// certificate fields and extensions are checked, other custom extensions are
// ignored even if marked critical. For this reason, additional tests are needed
// to fully verify a certificate chain, this is just useful for checking that a
// chain is correctly constructed in terms of standard fields. Similarly for
// CBOR certificate chains the chaining construction is verified but the content
// of other fields is ignored.
bool VerifyCertificateChain(CertificateType cert_type,
const uint8_t* root_certificate,
size_t root_certificate_size,
const DiceStateForTest states[],
size_t num_dice_states, bool is_partial_chain);
} // namespace test
} // namespace dice
#endif // DICE_TEST_UTILS_