[ot_certs] Add subtitution integration test

This test verifies that the generic.hjson template, substituted with
a json data files, yields example.hjson. This verifies that the whole
substitution chains is correct.

Signed-off-by: Amaury Pouly <[email protected]>

Author: pamaury

sw/device/silicon_creator/lib/cert/uds_example_data.json

@@ -16,6 +16,11 @@ filegroup(
     srcs = ["tests/example.hjson"],
 )
 
+filegroup(
+    name = "example_data",
+    srcs = ["tests/example_data.json"],
+)
+
 rust_library(
     name = "ot_certs",
     srcs = [
@@ -75,6 +80,8 @@ rust_test_suite(
     srcs = glob(["tests/*.rs"]),
     compile_data = [
         ":generic_cert",
+        ":example_cert",
+        ":example_data",
     ],
     deps = [
         ":ot_certs",

sw/host/ot_certs/BUILD

@@ -1,6 +1,9 @@
 // Copyright lowRISC contributors.
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
+
+// This example must correspond to taking the generic.hjson template and substituting the variables
+// using example_data.json
 {
     name: "example",
 
@@ -25,8 +28,8 @@
                 y: "0x0a0636f5073209440adb17dd8b102bc1154dc95394abfaeecd89852e1d622be1",
             },
         },
-        authority_key_identifier: "94589abcd87444",
-        subject_key_identifier: "04897afec876db",
+        authority_key_identifier: "94589abcd8744445ef329bc4186a11ff9a74bc4d",
+        subject_key_identifier: "04897afec876db876d4efbc6a3dd9f164965dfac",
         extensions: [
             {
                 type: "dice_tcb_info",
@@ -40,16 +43,19 @@
                 ],
                 flags: {
                     not_configured: false,
-                    not_secure: false,
+                    not_secure: true,
                     recovery: false,
-                    debug: false,
+                    debug: true,
                 }
             }
         ],
         signature: {
             algorithm: "ecdsa-with-sha256",
             // The value field is optional: if not present, the signature will be cleared.
-            // Otherwise, we can reference the various fields of the signature.
+            value: {
+                r: "0",
+                s: "0",
+            }
         }
     }
 }

sw/host/ot_certs/tests/example.hjson

@@ -0,0 +1,22 @@
+{
+    "serial_number": "0xc32a9847abefc5074ad",
+    "issuer_c": "UK",
+    "issuer_cn": "lowRISC",
+    "subject_serial_number": "5498694878674878747894768746897849",
+    "pub_key_ec_x": "0x6d13d8dca1d8211298d41abd8f7ac38c07333c78e652b44c5b425fce61184a",
+    "pub_key_ec_y": "4534108868468764070259928525122280184028285285512090975127203821338071542753",
+    "auth_key_id": "94589abcd8744445ef329bc4186a11ff9a74bc4d",
+    "pub_key_id": [4, 137, 122, 254, 200, 118, 219, 135, 109, 78, 251, 198, 163, 221, 159, 22, 73, 101, 223, 172],
+    "vendor": "lowRISC",
+    "model": "OpenTitan",
+    "security_version": 0,
+    "layer": [42],
+    "hash_1": "465644d935385783658357583758c593583b6537",
+    "hash_2": "009e9809f85978327592857a093f539078626589",
+    "not_configured": false,
+    "not_secure": true,
+    "recovery": "false",
+    "debug": "true",
+    "cert_signature_r": "0",
+    "cert_signature_s": "0"
+}

sw/host/ot_certs/tests/example_data.json

@@ -51,11 +51,11 @@
         },
         hash_1: {
             type: "byte-array",
-            size: 32,
+            size: 20,
         },
         hash_2: {
             type: "byte-array",
-            size: 32,
+            size: 20,
         },
         security_version: {
             type: "integer",

sw/host/ot_certs/tests/generic.hjson

@@ -0,0 +1,38 @@
+// Copyright lowRISC contributors.
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+use anyhow::{bail, Result};
+
+use ot_certs::template::subst::{Subst, SubstData};
+use ot_certs::template::Template;
+
+const GENERIC_CERT: &str = include_str!("generic.hjson");
+const EXAMPLE_DATA: &str = include_str!("example_data.json");
+const EXAMPLE_CERT: &str = include_str!("example.hjson");
+
+#[test]
+fn main() -> Result<()> {
+    // Parse generic certificate.
+    let generic_tmpl =
+        Template::from_hjson_str(GENERIC_CERT).expect("failed to parse generic template");
+    // Parse example certificate.
+    let example_tmpl =
+        Template::from_hjson_str(EXAMPLE_CERT).expect("failed to parse example template");
+    // Load data.
+    let test_data = SubstData::from_json(EXAMPLE_DATA).expect("failed to parse example data");
+    // Substitute data into the template.
+    let mut cert = generic_tmpl.subst(&test_data)?;
+    // We need to change the name to make sure that it matches.
+    cert.name = "example".to_string();
+    // Check that we obtain the example certificate template.
+    if example_tmpl != cert {
+        println!("expected: {:#?}", example_tmpl);
+        println!("got: {cert:#?}");
+        bail!(
+            "example.hjson does not correspond to substituting example_data.json in generic.hjson"
+        );
+    }
+
+    Ok(())
+}