xref: /aosp_15_r20/external/open-dice/include/dice/test_utils.h (revision 60b67249c2e226f42f35cc6cfe66c6048e0bae6b) 
1 // Copyright 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); you may not
4 // use this file except in compliance with the License. You may obtain a copy of
5 // the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 // License for the specific language governing permissions and limitations under
13 // the License.
14 
15 #ifndef DICE_TEST_UTILS_H_
16 #define DICE_TEST_UTILS_H_
17 
18 #include <stddef.h>
19 #include <stdint.h>
20 
21 #include "dice/dice.h"
22 
23 namespace dice {
24 namespace test {
25 
26 constexpr size_t kTestCertSize = 2048;
27 
28 enum CertificateType {
29   CertificateType_X509,
30   CertificateType_Cbor,
31 };
32 
33 enum KeyType {
34   KeyType_Ed25519,
35   KeyType_P256,
36   KeyType_P256_COMPRESSED,
37   KeyType_P384,
38 };
39 
40 struct DiceStateForTest {
41   uint8_t cdi_attest[DICE_CDI_SIZE];
42   uint8_t cdi_seal[DICE_CDI_SIZE];
43   uint8_t certificate[kTestCertSize];
44   size_t certificate_size;
45 };
46 
47 // Dumps |state| to a set of files in the current directory with the given
48 // |suffix|.
49 void DumpState(CertificateType cert_type, KeyType key_type, const char* suffix,
50                const DiceStateForTest& state);
51 
52 // Deterministically derives |length| bytes from |seed|.
53 void DeriveFakeInputValue(const char* seed, size_t length, uint8_t* output);
54 
55 // Generates a self-signed X.509 UDS certificate for the given |uds| value. The
56 // signature scheme is ED25519-SHA512.
57 void CreateFakeUdsCertificate(void* context, const uint8_t uds[32],
58                               CertificateType cert_type, KeyType key_type,
59                               uint8_t certificate[kTestCertSize],
60                               size_t* certificate_size);
61 
62 // Verify that a single CDI certificate is properly signed with the given key
63 // and contains the expected payload.
64 bool VerifyCoseSign1(const uint8_t* certificate, size_t certificate_size,
65                      const uint8_t* external_aad, size_t external_aad_size,
66                      const uint8_t* encoded_public_key,
67                      size_t encoded_public_key_size,
68                      const uint8_t* expected_payload,
69                      size_t expected_payload_size);
70 
71 // Verifies a chain of CDI certificates given by |states| against
72 // |root_certificate|. If |is_partial_chain| is set, then root_certificate does
73 // not need to be self signed. For X.509 certificate chains, only the standard
74 // certificate fields and extensions are checked, other custom extensions are
75 // ignored even if marked critical. For this reason, additional tests are needed
76 // to fully verify a certificate chain, this is just useful for checking that a
77 // chain is correctly constructed in terms of standard fields. Similarly for
78 // CBOR certificate chains the chaining construction is verified but the content
79 // of other fields is ignored.
80 bool VerifyCertificateChain(CertificateType cert_type,
81                             const uint8_t* root_certificate,
82                             size_t root_certificate_size,
83                             const DiceStateForTest states[],
84                             size_t num_dice_states, bool is_partial_chain);
85 
86 }  // namespace test
87 }  // namespace dice
88 
89 #endif  // DICE_TEST_UTILS_
90