Skip to content

Commit

Permalink
Extend sample cert tool to support CSRs
Browse files Browse the repository at this point in the history 
1. Call DeriveChild to force the output cert to have a TcbInfo
2. Support the CSR format
  • Loading branch information
@jhand2
jhand2 committed Dec 1, 2023
1 parent 8ced2c0 commit f8f5206
Showing 1 changed file with 62 additions and 12 deletions.
74 changes: 62 additions & 12 deletions tools/src/sample_dpe_cert.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

use {
crypto::OpensslCrypto,
dpe::commands::{self, CertifyKeyCmd, CertifyKeyFlags, CommandHdr},
dpe::commands::{self, CertifyKeyCmd, CertifyKeyFlags, DeriveChildCmd, DeriveChildFlags, CommandHdr},
dpe::context::ContextHandle,
dpe::dpe_instance::{DpeEnv, DpeTypes},
dpe::response::Response,
Expand All @@ -11,6 +11,7 @@ use {
platform::default::DefaultPlatform,
zerocopy::AsBytes,
};
use std::env;

pub struct TestTypes {}

Expand All @@ -19,21 +20,41 @@ impl DpeTypes for TestTypes {
type Platform<'a> = DefaultPlatform;
}

fn main() {
let support = Support::AUTO_INIT | Support::X509;

let mut env = DpeEnv::<TestTypes> {
crypto: OpensslCrypto::new(),
platform: DefaultPlatform,
// Call DeriveChild on the default context so the generated cert will have a
// TcbInfo populated.
fn add_tcb_info(dpe: &mut DpeInstance, env: &mut DpeEnv<TestTypes>, data: &[u8; DPE_PROFILE.get_hash_size()], tci_type: u32) {
let cmd = DeriveChildCmd {
handle: ContextHandle::default(),
data: *data,
flags: DeriveChildFlags::INPUT_ALLOW_X509 | DeriveChildFlags::MAKE_DEFAULT,
tci_type,
target_locality: 0, // Unused since flag isn't set
};
let cmd_body = cmd.as_bytes().to_vec();
let cmd_hdr = CommandHdr::new_for_test(dpe::commands::Command::DERIVE_CHILD)
.as_bytes()
.to_vec();
let mut command = cmd_hdr;
command.extend(cmd_body);

let mut dpe = DpeInstance::new(&mut env, support).unwrap();
let resp = dpe
.execute_serialized_command(env, 0, &command)
.unwrap();

let _ = match resp {
// Expect CertifyKey response return an error in all other cases.
Response::DeriveChild(res) => res,
Response::Error(res) => panic!("Error response {}", res.status),
_ => panic!("Unexpected Response"),
};
}

fn certify_key(dpe: &mut DpeInstance, env: &mut DpeEnv<TestTypes>, format: u32) -> Vec<u8> {
let certify_key_cmd: CertifyKeyCmd = commands::CertifyKeyCmd {
handle: ContextHandle::default(),
flags: CertifyKeyFlags::empty(),
label: [0; DPE_PROFILE.get_hash_size()],
format: commands::CertifyKeyCmd::FORMAT_X509,
format,
};
let cmd_body = certify_key_cmd.as_bytes().to_vec();
let cmd_hdr = CommandHdr::new_for_test(dpe::commands::Command::CERTIFY_KEY)
Expand All @@ -43,7 +64,7 @@ fn main() {
command.extend(cmd_body);

let resp = dpe
.execute_serialized_command(&mut env, 0, &command)
.execute_serialized_command(env, 0, &command)
.unwrap();

let certify_key_response = match resp {
Expand All @@ -53,9 +74,38 @@ fn main() {
_ => panic!("Unexpected Response"),
};

certify_key_response.cert[..certify_key_response.cert_size as usize].to_vec()
}

fn main() {
let args: Vec<String> = env::args().collect();
let (format, format_str) = if args.len() > 1 {
let arg = &args[1];
if arg == "csr" {
(commands::CertifyKeyCmd::FORMAT_CSR, "PKCS7")
} else if arg == "x509" {
(commands::CertifyKeyCmd::FORMAT_X509, "CERTIFICATE")
} else {
panic!("Unsupported format {}", arg)
}
} else {
(commands::CertifyKeyCmd::FORMAT_X509, "CERTIFICATE")
};
let support = Support::AUTO_INIT | Support::X509 | Support::CSR;

let mut env = DpeEnv::<TestTypes> {
crypto: OpensslCrypto::new(),
platform: DefaultPlatform,
};

let mut dpe = DpeInstance::new(&mut env, support).unwrap();

add_tcb_info(&mut dpe, &mut env, &[0; DPE_PROFILE.get_hash_size()], u32::from_be_bytes(*b"TEST"));
let cert = certify_key(&mut dpe, &mut env, format);

let pem = Pem::new(
"CERTIFICATE",
&certify_key_response.cert[..certify_key_response.cert_size as usize],
format_str,
cert,
);

print!(
Expand Down

0 comments on commit f8f5206

Please sign in to comment.