Separate Ed25519 build targets
This is in preparation to support P-384.
Change-Id: Id4f9638d4176282e276ffb4b14ae6c64a4212ea2
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/126681
Reviewed-by: Andrew Scull <ascull@google.com>
Commit-Queue: Atul Luykx <aluykx@google.com>
diff --git a/BUILD.gn b/BUILD.gn
index 602a15a..2044cb2 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -55,7 +55,7 @@
include_dirs = [ "//include/dice/config/boringssl_ed25519" ]
}
-pw_static_library("dice_with_boringssl_ops") {
+pw_static_library("dice_with_boringssl_ed25519_ops") {
public = [
"include/dice/dice.h",
"include/dice/utils.h",
@@ -92,7 +92,7 @@
all_dependent_configs = [ ":mbedtls_ops_config" ]
}
-pw_static_library("dice_with_cbor_cert") {
+pw_static_library("dice_with_cbor_ed25519_cert") {
public = [
"include/dice/dice.h",
"include/dice/utils.h",
@@ -101,6 +101,7 @@
"src/boringssl_ed25519_ops.c",
"src/boringssl_hash_kdf_ops.c",
"src/cbor_cert_op.c",
+ "src/cbor_ed25519_cert_op.c",
"src/clear_memory.c",
"src/dice.c",
"src/utils.c",
@@ -112,7 +113,7 @@
all_dependent_configs = [ ":boringssl_ed25519_ops_config" ]
}
-pw_static_library("dice_with_cbor_template_cert") {
+pw_static_library("dice_with_cbor_template_ed25519_cert") {
public = [
"include/dice/dice.h",
"include/dice/utils.h",
@@ -178,22 +179,22 @@
]
}
-pw_test("boringssl_ops_test") {
+pw_test("boringssl_ed25519_ops_test") {
sources = [
- "src/boringssl_ops_test.cc",
+ "src/boringssl_ed25519_ops_test.cc",
"src/test_utils.cc",
]
deps = [
- ":dice_with_boringssl_ops",
+ ":dice_with_boringssl_ed25519_ops",
"$dir_pw_string:pw_string",
"//third_party/boringssl:crypto",
- "//third_party/cose-c:cose-c",
+ "//third_party/cose-c:cose-c_ed25519",
]
}
-pw_executable("boringssl_ops_fuzzer") {
+pw_executable("boringssl_ed25519_ops_fuzzer") {
deps = [
- ":dice_with_boringssl_ops",
+ ":dice_with_boringssl_ed25519_ops",
":fuzzer",
]
}
@@ -207,7 +208,7 @@
":dice_with_x509_template_cert",
"$dir_pw_string:pw_string",
"//third_party/boringssl:crypto",
- "//third_party/cose-c:cose-c",
+ "//third_party/cose-c:cose-c_ed25519",
]
}
@@ -218,42 +219,42 @@
]
}
-pw_test("cbor_cert_op_test") {
+pw_test("cbor_ed25519_cert_op_test") {
sources = [
"src/cbor_cert_op_test.cc",
"src/test_utils.cc",
]
deps = [
- ":dice_with_cbor_cert",
+ ":dice_with_cbor_ed25519_cert",
"$dir_pw_string:pw_string",
"//third_party/boringssl:crypto",
- "//third_party/cose-c:cose-c",
+ "//third_party/cose-c:cose-c_ed25519",
]
}
-pw_executable("cbor_cert_op_fuzzer") {
+pw_executable("cbor_ed25519_cert_op_fuzzer") {
deps = [
- ":dice_with_cbor_cert",
+ ":dice_with_cbor_ed25519_cert",
":fuzzer",
]
}
-pw_test("template_cbor_cert_op_test") {
+pw_test("template_cbor_ed25519_cert_op_test") {
sources = [
"src/template_cbor_cert_op_test.cc",
"src/test_utils.cc",
]
deps = [
- ":dice_with_cbor_template_cert",
+ ":dice_with_cbor_template_ed25519_cert",
"$dir_pw_string:pw_string",
"//third_party/boringssl:crypto",
- "//third_party/cose-c:cose-c",
+ "//third_party/cose-c:cose-c_ed25519",
]
}
-pw_executable("template_cbor_cert_op_fuzzer") {
+pw_executable("template_cbor_ed25519_cert_op_fuzzer") {
deps = [
- ":dice_with_cbor_template_cert",
+ ":dice_with_cbor_template_ed25519_cert",
":fuzzer",
]
}
@@ -267,7 +268,7 @@
":dice_with_mbedtls_ops",
"$dir_pw_string:pw_string",
"//third_party/boringssl:crypto",
- "//third_party/cose-c:cose-c",
+ "//third_party/cose-c:cose-c_ed25519",
]
}
@@ -280,13 +281,13 @@
pw_test_group("tests") {
tests = [
- ":boringssl_ops_test",
- ":cbor_cert_op_test",
+ ":boringssl_ed25519_ops_test",
+ ":cbor_ed25519_cert_op_test",
":cbor_reader_test",
":cbor_writer_test",
":dice_test",
":mbedtls_ops_test",
- ":template_cbor_cert_op_test",
+ ":template_cbor_ed25519_cert_op_test",
":template_cert_op_test",
"//src/android:bcc_test",
]
@@ -294,12 +295,12 @@
group("fuzzers") {
deps = [
- ":boringssl_ops_fuzzer",
- ":cbor_cert_op_fuzzer",
+ ":boringssl_ed25519_ops_fuzzer",
+ ":cbor_ed25519_cert_op_fuzzer",
":cbor_reader_fuzzer",
":cbor_writer_fuzzer",
":mbedtls_ops_fuzzer",
- ":template_cbor_cert_op_fuzzer",
+ ":template_cbor_ed25519_cert_op_fuzzer",
":template_cert_op_fuzzer",
"//src/android:bcc_fuzzer",
]
@@ -321,10 +322,10 @@
sources = [ "src/dice_main.c" ]
}
-pw_executable("dice_with_boringssl_ops_main") {
+pw_executable("dice_with_boringssl_ed25519_ops_main") {
deps = [
":dice_main",
- ":dice_with_boringssl_ops",
+ ":dice_with_boringssl_ed25519_ops",
]
}
@@ -338,14 +339,14 @@
pw_executable("dice_with_cbor_cert_main") {
deps = [
":dice_main",
- ":dice_with_cbor_cert",
+ ":dice_with_cbor_ed25519_cert",
]
}
-pw_executable("dice_with_cbor_template_cert_main") {
+pw_executable("dice_with_cbor_template_ed25519_cert_main") {
deps = [
":dice_main",
- ":dice_with_cbor_template_cert",
+ ":dice_with_cbor_template_ed25519_cert",
]
}
@@ -365,8 +366,8 @@
label = "DiceMainFlow only (No Ops)"
},
{
- target = ":dice_with_boringssl_ops_main"
- label = "Boringssl Ops"
+ target = ":dice_with_boringssl_ed25519_ops_main"
+ label = "Boringssl Ed25519 Ops"
base = ":dice_standalone_main"
},
{
@@ -377,17 +378,17 @@
{
target = ":dice_with_cbor_cert_main"
label = "Boringssl with CBOR Cert"
- base = ":dice_with_boringssl_ops_main"
+ base = ":dice_with_boringssl_ed25519_ops_main"
},
{
- target = ":dice_with_cbor_template_cert_main"
- label = "Boringssl with CBOR Template Cert"
- base = ":dice_with_boringssl_ops_main"
+ target = ":dice_with_cbor_template_ed25519_cert_main"
+ label = "Boringssl with CBOR Template Ed25519 Cert"
+ base = ":dice_with_boringssl_ed25519_ops_main"
},
{
target = ":dice_with_x509_template_cert_main"
label = "Boringssl with X.509 Template Cert"
- base = ":dice_with_boringssl_ops_main"
+ base = ":dice_with_boringssl_ed25519_ops_main"
},
]
}
@@ -401,7 +402,7 @@
label = "DICE Standalone (No Ops)"
},
{
- target = ":dice_with_boringssl_ops"
+ target = ":dice_with_boringssl_ed25519_ops"
label = "Boringssl Ops"
base = ":dice_standalone"
},
@@ -411,12 +412,12 @@
base = ":dice_standalone"
},
{
- target = ":dice_with_cbor_cert"
+ target = ":dice_with_cbor_ed25519_cert"
label = "CBOR Cert"
base = ":dice_standalone"
},
{
- target = ":dice_with_cbor_template_cert"
+ target = ":dice_with_cbor_template_ed25519_cert"
label = "CBOR Template Cert"
base = ":dice_standalone"
},
@@ -431,9 +432,9 @@
group("optimized_libs") {
deps = [
":dice_standalone",
- ":dice_with_boringssl_ops",
- ":dice_with_cbor_cert",
- ":dice_with_cbor_template_cert",
+ ":dice_with_boringssl_ed25519_ops",
+ ":dice_with_cbor_ed25519_cert",
+ ":dice_with_cbor_template_ed25519_cert",
":dice_with_mbedtls_ops",
":dice_with_x509_template_cert",
":executable_size_report",
diff --git a/include/dice/config/boringssl_ed25519/dice/config.h b/include/dice/config/boringssl_ed25519/dice/config.h
index 583ac68..02097c4 100644
--- a/include/dice/config/boringssl_ed25519/dice/config.h
+++ b/include/dice/config/boringssl_ed25519/dice/config.h
@@ -16,6 +16,8 @@
#define DICE_CONFIG_H_
// Ed25519
+// COSE Key alg value from Table 2 of RFC9053
+#define DICE_COSE_KEY_ALG_VALUE (-8)
#define DICE_PUBLIC_KEY_SIZE 32
#define DICE_PRIVATE_KEY_SIZE 64
#define DICE_SIGNATURE_SIZE 64
diff --git a/src/android/BUILD.gn b/src/android/BUILD.gn
index f159fbe..b9b9574 100644
--- a/src/android/BUILD.gn
+++ b/src/android/BUILD.gn
@@ -21,7 +21,7 @@
deps = [
"//:cbor_reader",
"//:cbor_writer",
- "//:dice_with_cbor_cert",
+ "//:dice_with_cbor_ed25519_cert",
]
}
diff --git a/src/boringssl_ops_test.cc b/src/boringssl_ed25519_ops_test.cc
similarity index 100%
rename from src/boringssl_ops_test.cc
rename to src/boringssl_ed25519_ops_test.cc
diff --git a/src/cbor_cert_op.c b/src/cbor_cert_op.c
index 8006294..5df1583 100644
--- a/src/cbor_cert_op.c
+++ b/src/cbor_cert_op.c
@@ -13,7 +13,8 @@
// the License.
// This is a DiceGenerateCertificate implementation that generates a CWT-style
-// CBOR certificate using the ED25519-SHA512 signature scheme.
+// CBOR certificate. The function DiceCoseEncodePublicKey depends on the
+// signature algorithm type, and must be implemented elsewhere.
#include <stddef.h>
#include <stdint.h>
@@ -25,74 +26,24 @@
#include "dice/ops/trait/cose.h"
#include "dice/utils.h"
-#if DICE_PUBLIC_KEY_SIZE != 32
-#error "Only Ed25519 is supported; 32 bytes needed to store the public key."
-#endif
-#if DICE_SIGNATURE_SIZE != 64
-#error "Only Ed25519 is supported; 64 bytes needed to store the signature."
-#endif
-
// Max size of COSE_Sign1 including payload.
#define DICE_MAX_CERTIFICATE_SIZE 2048
// Max size of COSE_Key encoding.
-#define DICE_MAX_PUBLIC_KEY_SIZE 64
+#define DICE_MAX_PUBLIC_KEY_SIZE (DICE_PUBLIC_KEY_SIZE + 32)
// Max size of the COSE_Sign1 protected attributes.
#define DICE_MAX_PROTECTED_ATTRIBUTES_SIZE 16
-DiceResult DiceCoseEncodePublicKey(
- void* context_not_used, const uint8_t public_key[DICE_PUBLIC_KEY_SIZE],
- size_t buffer_size, uint8_t* buffer, size_t* encoded_size) {
- (void)context_not_used;
-
- // Constants per RFC 8152.
- const int64_t kCoseKeyKtyLabel = 1;
- const int64_t kCoseKeyAlgLabel = 3;
- const int64_t kCoseKeyOpsLabel = 4;
- const int64_t kCoseOkpCrvLabel = -1;
- const int64_t kCoseOkpXLabel = -2;
- const int64_t kCoseKeyTypeOkp = 1;
- const int64_t kCoseAlgEdDSA = -8;
- const int64_t kCoseKeyOpsVerify = 2;
- const int64_t kCoseCrvEd25519 = 6;
-
- struct CborOut out;
- CborOutInit(buffer, buffer_size, &out);
- CborWriteMap(/*num_pairs=*/5, &out);
- // Add the key type.
- CborWriteInt(kCoseKeyKtyLabel, &out);
- CborWriteInt(kCoseKeyTypeOkp, &out);
- // Add the algorithm.
- CborWriteInt(kCoseKeyAlgLabel, &out);
- CborWriteInt(kCoseAlgEdDSA, &out);
- // Add the KeyOps.
- CborWriteInt(kCoseKeyOpsLabel, &out);
- CborWriteArray(/*num_elements=*/1, &out);
- CborWriteInt(kCoseKeyOpsVerify, &out);
- // Add the curve.
- CborWriteInt(kCoseOkpCrvLabel, &out);
- CborWriteInt(kCoseCrvEd25519, &out);
- // Add the public key.
- CborWriteInt(kCoseOkpXLabel, &out);
- CborWriteBstr(/*data_size=*/DICE_PUBLIC_KEY_SIZE, public_key, &out);
- if (CborOutOverflowed(&out)) {
- return kDiceResultBufferTooSmall;
- }
- *encoded_size = CborOutSize(&out);
- return kDiceResultOk;
-}
-
static DiceResult EncodeProtectedAttributes(size_t buffer_size, uint8_t* buffer,
size_t* encoded_size) {
// Constants per RFC 8152.
const int64_t kCoseHeaderAlgLabel = 1;
- const int64_t kCoseAlgEdDSA = -8;
struct CborOut out;
CborOutInit(buffer, buffer_size, &out);
CborWriteMap(/*num_elements=*/1, &out);
// Add the algorithm.
CborWriteInt(kCoseHeaderAlgLabel, &out);
- CborWriteInt(kCoseAlgEdDSA, &out);
+ CborWriteInt(DICE_COSE_KEY_ALG_VALUE, &out);
if (CborOutOverflowed(&out)) {
return kDiceResultBufferTooSmall;
}
diff --git a/src/cbor_ed25519_cert_op.c b/src/cbor_ed25519_cert_op.c
new file mode 100644
index 0000000..a461ae1
--- /dev/null
+++ b/src/cbor_ed25519_cert_op.c
@@ -0,0 +1,69 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+// https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "dice/cbor_writer.h"
+#include "dice/ops/trait/cose.h"
+
+#if DICE_PUBLIC_KEY_SIZE != 32
+#error "Only Ed25519 is supported; 32 bytes needed to store the public key."
+#endif
+#if DICE_SIGNATURE_SIZE != 64
+#error "Only Ed25519 is supported; 64 bytes needed to store the signature."
+#endif
+
+DiceResult DiceCoseEncodePublicKey(
+ void* context_not_used, const uint8_t public_key[DICE_PUBLIC_KEY_SIZE],
+ size_t buffer_size, uint8_t* buffer, size_t* encoded_size) {
+ (void)context_not_used;
+
+ // Constants per RFC 8152.
+ const int64_t kCoseKeyKtyLabel = 1;
+ const int64_t kCoseKeyAlgLabel = 3;
+ const int64_t kCoseKeyOpsLabel = 4;
+ const int64_t kCoseOkpCrvLabel = -1;
+ const int64_t kCoseOkpXLabel = -2;
+ const int64_t kCoseKeyTypeOkp = 1;
+ const int64_t kCoseAlgEdDSA = DICE_COSE_KEY_ALG_VALUE;
+ const int64_t kCoseKeyOpsVerify = 2;
+ const int64_t kCoseCrvEd25519 = 6;
+
+ struct CborOut out;
+ CborOutInit(buffer, buffer_size, &out);
+ CborWriteMap(/*num_pairs=*/5, &out);
+ // Add the key type.
+ CborWriteInt(kCoseKeyKtyLabel, &out);
+ CborWriteInt(kCoseKeyTypeOkp, &out);
+ // Add the algorithm.
+ CborWriteInt(kCoseKeyAlgLabel, &out);
+ CborWriteInt(kCoseAlgEdDSA, &out);
+ // Add the KeyOps.
+ CborWriteInt(kCoseKeyOpsLabel, &out);
+ CborWriteArray(/*num_elements=*/1, &out);
+ CborWriteInt(kCoseKeyOpsVerify, &out);
+ // Add the curve.
+ CborWriteInt(kCoseOkpCrvLabel, &out);
+ CborWriteInt(kCoseCrvEd25519, &out);
+ // Add the public key.
+ CborWriteInt(kCoseOkpXLabel, &out);
+ CborWriteBstr(/*data_size=*/DICE_PUBLIC_KEY_SIZE, public_key, &out);
+ if (CborOutOverflowed(&out)) {
+ return kDiceResultBufferTooSmall;
+ }
+ *encoded_size = CborOutSize(&out);
+ return kDiceResultOk;
+}
diff --git a/third_party/cose-c/BUILD.gn b/third_party/cose-c/BUILD.gn
index 917e647..3a3175f 100644
--- a/third_party/cose-c/BUILD.gn
+++ b/third_party/cose-c/BUILD.gn
@@ -15,10 +15,10 @@
import("//build_overrides/pigweed.gni")
import("$dir_pw_build/target_types.gni")
-config("external_config") {
+config("external_config_ed25519") {
include_dirs = [
"src/include",
- "include",
+ "include/ed25519",
]
}
@@ -28,16 +28,16 @@
cflags = [ "-Wno-cast-qual" ]
}
-pw_static_library("cose-c") {
+pw_static_library("cose-c_ed25519") {
public = [ "src/include/cose/cose.h" ]
sources = [
- "cose_deps.cc",
+ "cose_ed25519_deps.cc",
"src/src/Cose.cpp",
"src/src/CoseKey.cpp",
"src/src/Sign1.cpp",
"src/src/cbor.cpp",
]
- public_configs = [ ":external_config" ]
+ public_configs = [ ":external_config_ed25519" ]
configs = [ ":internal_config" ]
public_deps = [
"//third_party/boringssl:crypto",
diff --git a/third_party/cose-c/cose_deps.cc b/third_party/cose-c/cose_ed25519_deps.cc
similarity index 94%
rename from third_party/cose-c/cose_deps.cc
rename to third_party/cose-c/cose_ed25519_deps.cc
index 986b2b0..1eb8a15 100644
--- a/third_party/cose-c/cose_deps.cc
+++ b/third_party/cose-c/cose_ed25519_deps.cc
@@ -23,7 +23,7 @@
// Gets the public key from a well-formed Ed25519 COSE_Key. On success populates
// |public_key| and returns true.
-static bool GetPublicKeyFromCbor(const cn_cbor *key, uint8_t public_key[32]) {
+static bool GetPublicKeyFromCbor(const cn_cbor *key, uint8_t public_key[PUBLIC_KEY_SIZE]) {
const int64_t kCoseKeyAlgLabel = 3;
const int64_t kCoseKeyOpsLabel = 4;
const uint64_t kCoseKeyOpsVerify = 2;
@@ -42,7 +42,7 @@
if (curve->type != CN_CBOR_UINT || curve->v.uint != COSE_Curve_Ed25519) {
return false;
}
- if (x->type != CN_CBOR_BYTES || x->length != 32) {
+ if (x->type != CN_CBOR_BYTES || x->length != PUBLIC_KEY_SIZE) {
return false;
}
// Optional attributes.
@@ -72,7 +72,7 @@
}
}
- memcpy(public_key, x->v.bytes, 32);
+ memcpy(public_key, x->v.bytes, PUBLIC_KEY_SIZE);
return true;
}
@@ -88,7 +88,7 @@
if (signature->type != CN_CBOR_BYTES || signature->length != 64) {
return false;
}
- uint8_t public_key[32];
+ uint8_t public_key[PUBLIC_KEY_SIZE];
if (!GetPublicKeyFromCbor(key, public_key)) {
return false;
}
diff --git a/third_party/cose-c/include/cose/cose_configure.h b/third_party/cose-c/include/ed25519/cose/cose_configure.h
similarity index 89%
rename from third_party/cose-c/include/cose/cose_configure.h
rename to third_party/cose-c/include/ed25519/cose/cose_configure.h
index c874231..f6d91a2 100644
--- a/third_party/cose-c/include/cose/cose_configure.h
+++ b/third_party/cose-c/include/ed25519/cose/cose_configure.h
@@ -1,4 +1,5 @@
#define USE_EDDSA
+#define PUBLIC_KEY_SIZE 32
#define INCLUDE_ENCRYPT 0
#define INCLUDE_ENCRYPT0 0