Skip to content

Commit

Permalink
Add CertifyKey CSR Verfication Test
Browse files Browse the repository at this point in the history 
Add a verification test for running CertifyKey in CSR mode.
  • Loading branch information
@jhand2
jhand2 committed Dec 2, 2023
1 parent 03dd0ac commit 087b56d
Show file tree
Hide file tree
Showing 9 changed files with 282 additions and 156 deletions.
10 changes: 7 additions & 3 deletions dpe/src/commands/certify_key.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ use crate::{
};
use bitflags::bitflags;
use crypto::Crypto;
use platform::{Platform, MAX_CHUNK_SIZE};
use platform::{Platform, MAX_CHUNK_SIZE, MAX_SN_SIZE};

#[repr(C)]
#[derive(Debug, PartialEq, Eq, zerocopy::FromBytes, zerocopy::AsBytes)]
Expand Down Expand Up @@ -183,11 +183,13 @@ impl CommandExecution for CertifyKeyCmd {
let csr_sig = env
.crypto
.ecdsa_sign_with_alias(DPE_PROFILE.alg_len(), &csr_digest)?;
let mut issuer_sn = [0u8; MAX_SN_SIZE];
let sn_len = env.platform.get_issuer_sn(&mut issuer_sn)?;

let mut cms_writer = CertWriter::new(&mut cert, true);
bytes_written = cms_writer.encode_cms(
&csr_buffer[..bytes_written],
&subject_name.serial.bytes()[..20], // Serial number must be truncated to 20 bytes
&issuer_sn[..sn_len], // Serial number must be truncated to 20 bytes
&issuer_name[..issuer_len],
&csr_sig,
)?;
Expand Down Expand Up @@ -472,17 +474,19 @@ mod tests {
// validate signer identifier
let sid = &signer_info.sid;
let mut subj_serial = [0u8; DPE_PROFILE.get_hash_size() * 2];
let mut issuer_serial = [0u8; MAX_SN_SIZE];
let pub_key = EcdsaPub {
x: CryptoBuf::new(&certify_resp.derived_pubkey_x).unwrap(),
y: CryptoBuf::new(&certify_resp.derived_pubkey_y).unwrap(),
};
env.crypto
.get_pubkey_serial(DPE_PROFILE.alg_len(), &pub_key, &mut subj_serial)
.unwrap();
env.platform.get_issuer_sn(&mut issuer_serial).unwrap();
match sid {
SignerIdentifier::IssuerAndSerialNumber(issuer_and_serial_number) => {
let cert_serial_number = &issuer_and_serial_number.serial_number;
assert_eq!(&subj_serial[..20], cert_serial_number.as_bytes());
assert_eq!(&issuer_serial, cert_serial_number.as_bytes());

let mut issuer_name = [0u8; MAX_CHUNK_SIZE];
let issuer_len = env.platform.get_issuer_name(&mut issuer_name).unwrap();
Expand Down
24 changes: 22 additions & 2 deletions platform/src/default.rs
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

use crate::{Platform, PlatformError, MAX_CHUNK_SIZE};
use crate::{Platform, PlatformError, MAX_CHUNK_SIZE, MAX_SN_SIZE};
use core::cmp::min;
use openssl::x509::X509;

Expand All @@ -17,6 +17,12 @@ pub const TEST_CERT_CHAIN: &[u8] = include_bytes!("test_data/cert_256.der");
#[cfg(feature = "dpe_profile_p384_sha384")]
pub const TEST_CERT_CHAIN: &[u8] = include_bytes!("test_data/cert_384.der");

#[cfg(feature = "dpe_profile_p256_sha256")]
pub const TEST_CERT_PEM: &[u8] = include_bytes!("test_data/cert_256.pem");

#[cfg(feature = "dpe_profile_p384_sha384")]
pub const TEST_CERT_PEM: &[u8] = include_bytes!("test_data/cert_384.pem");

impl Platform for DefaultPlatform {
fn get_certificate_chain(
&mut self,
Expand All @@ -41,7 +47,7 @@ impl Platform for DefaultPlatform {
}

fn get_issuer_name(&mut self, out: &mut [u8; MAX_CHUNK_SIZE]) -> Result<usize, PlatformError> {
let issuer_name = X509::from_pem(include_bytes!("test_data/cert_256.pem"))
let issuer_name = X509::from_pem(TEST_CERT_PEM)
.unwrap()
.subject_name()
.to_der()
Expand All @@ -53,6 +59,20 @@ impl Platform for DefaultPlatform {
Ok(issuer_name.len())
}

fn get_issuer_sn(&mut self, out: &mut [u8; MAX_SN_SIZE]) -> Result<usize, PlatformError> {
let sn = X509::from_pem(TEST_CERT_PEM)
.unwrap()
.serial_number()
.to_bn()
.unwrap()
.to_vec();
if sn.len() > out.len() {
return Err(PlatformError::IssuerNameError(0));
}
out[..sn.len()].copy_from_slice(&sn);
Ok(sn.len())
}

fn get_vendor_id(&mut self) -> Result<u32, PlatformError> {
Ok(VENDOR_ID)
}
Expand Down
7 changes: 7 additions & 0 deletions platform/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ pub mod default;
pub mod printer;

pub const MAX_CHUNK_SIZE: usize = 2048;
pub const MAX_SN_SIZE: usize = 20;

#[derive(Debug, PartialEq, Eq, Clone, Copy)]
#[repr(u16)]
Expand Down Expand Up @@ -64,6 +65,12 @@ pub trait Platform {
/// * `out` - Output buffer for issuer name to be written to.
fn get_issuer_name(&mut self, out: &mut [u8; MAX_CHUNK_SIZE]) -> Result<usize, PlatformError>;

/// Retrives the issuer's Serial Number
///
/// The issuer serial number is a big-endian integer which is at-most 20
/// bytes. It must adhere to all the requirements of an ASN.1 integer.
fn get_issuer_sn(&mut self, out: &mut [u8; MAX_SN_SIZE]) -> Result<usize, PlatformError>;

fn get_vendor_id(&mut self) -> Result<u32, PlatformError>;

fn get_vendor_sku(&mut self) -> Result<u32, PlatformError>;
Expand Down
Loading

0 comments on commit 087b56d

Please sign in to comment.