Skip to content

Commit

Permalink
Move Go verification tests and client to separate packages
Browse files Browse the repository at this point in the history
The Go verification tests include a client and a set of test
functions/infrastructure. Split these into separate packages so that the
client can be included without also including the test helpers.
  • Loading branch information
jhand2 committed Jan 3, 2024
1 parent bdb03a7 commit 5e5dbd5
Show file tree
Hide file tree
Showing 24 changed files with 250 additions and 235 deletions.
2 changes: 1 addition & 1 deletion ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ function run_verification_tests() {

cargo build --manifest-path simulator/Cargo.toml --features=$profile,$crypto --no-default-features

( cd verification
( cd verification/testing
go test -v
)
}
Expand Down
5 changes: 3 additions & 2 deletions verification/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# DPE Verification Tests

This test suite is a userspace test-suite which exercises DPE commands
end-to-end and ensures compliance with the DPE iRoT Profile.
* client: A generic Golang DPE client library
* testing: A userspace test suite which exercises DPE commands end-to-end and
ensures compliance with the DPE iRoT Profile.
2 changes: 1 addition & 1 deletion verification/abi.go → verification/client/abi.go
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import (
"fmt"
Expand Down
2 changes: 1 addition & 1 deletion verification/client.go → verification/client/client.go
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import (
"fmt"
Expand Down
2 changes: 1 addition & 1 deletion verification/errors.go → verification/client/errors.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import "fmt"

Expand Down
3 changes: 3 additions & 0 deletions verification/client/go.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
module github.com/chipsalliance/caliptra-dpe/verification/client

go 1.20
2 changes: 1 addition & 1 deletion verification/helpers.go → verification/client/helpers.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import (
"bytes"
Expand Down
2 changes: 1 addition & 1 deletion verification/profile.go → verification/client/profile.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import "fmt"

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import (
"reflect"
Expand Down
47 changes: 24 additions & 23 deletions verification/certifyKey.go → verification/testing/certifyKey.go
100755 → 100644
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (

"go.mozilla.org/pkcs7"

"github.com/chipsalliance/caliptra-dpe/verification/client"
zx509 "github.com/zmap/zcrypto/x509"
zlint "github.com/zmap/zlint/v3"
"github.com/zmap/zlint/v3/lint"
Expand Down Expand Up @@ -117,34 +118,34 @@ type TcgMultiTcbInfo = []DiceTcbInfo
// CertifyKeyParams holds configurable parameters to CertifyKey for test-cases
type CertifyKeyParams struct {
Label []byte
Flags CertifyKeyFlags
Flags client.CertifyKeyFlags
}

// TestCertifyKey tests calling CertifyKey
func TestCertifyKey(d TestDPEInstance, c DPEClient, t *testing.T) {
func TestCertifyKey(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
testCertifyKey(d, c, t, false)
}

// TestCertifyKeySimulation tests calling CertifyKey on simulation contexts
func TestCertifyKeySimulation(d TestDPEInstance, c DPEClient, t *testing.T) {
func TestCertifyKeySimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
testCertifyKey(d, c, t, true)
}

// TestCertifyKeyCsr tests calling CeritifyKey with type = CSR
func TestCertifyKeyCsr(d TestDPEInstance, c DPEClient, t *testing.T) {
// Testclient.CertifyKeyCsr tests calling CeritifyKey with type = CSR
func TestCertifyKeyCsr(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
ctx := getInitialContextHandle(d, c, t, false)

profile, err := GetTransportProfile(d)
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("Could not get profile: %v", err)
}
digestLen := profile.GetDigestSize()

flags := CertifyKeyFlags(0)
flags := client.CertifyKeyFlags(0)
label := make([]byte, digestLen)

// Get DPE leaf certificate from CertifyKey
certifyKeyResp, err := c.CertifyKey(ctx, label, CertifyKeyCsr, flags)
certifyKeyResp, err := c.CertifyKey(ctx, label, client.CertifyKeyCsr, flags)
if err != nil {
t.Fatalf("[FATAL]: Could not certify key: %v", err)
}
Expand All @@ -163,7 +164,7 @@ func TestCertifyKeyCsr(d TestDPEInstance, c DPEClient, t *testing.T) {
lastCertInCertChain := certChain[len(certChain)-1]

// Get DPE leaf cert
certifyKeyResp, err = c.CertifyKey(ctx, label, CertifyKeyX509, flags)
certifyKeyResp, err = c.CertifyKey(ctx, label, client.CertifyKeyX509, flags)
if err != nil {
t.Fatalf("[FATAL]: Could not certify key: %v", err)
}
Expand Down Expand Up @@ -333,7 +334,7 @@ func checkCertifyKeyExtendedKeyUsages(t *testing.T, extensions []pkix.Extension,
// Checks for KeyUsage Extension as per spec
// If IsCA = true, KeyUsage extension MUST contain DigitalSignature and KeyCertSign
// If IsCA = false, KeyUsage extension MUST contain only DigitalSignature
func checkCertifyKeyExtensions(t *testing.T, extensions []pkix.Extension, flags CertifyKeyFlags, label []byte) {
func checkCertifyKeyExtensions(t *testing.T, extensions []pkix.Extension, flags client.CertifyKeyFlags, label []byte) {
t.Helper()

bc, err := getBasicConstraints(extensions)
Expand Down Expand Up @@ -378,7 +379,7 @@ func checkCertifyKeyExtensions(t *testing.T, extensions []pkix.Extension, flags
// The BasicConstraints extension MUST be included
// If CertifyKey AddIsCA is set, IsCA MUST be set to true.
// If CertifyKey AddIsCA is NOT set, IsCA MUST be set to false
func checkCertifyKeyBasicConstraints(t *testing.T, extensions []pkix.Extension, flags CertifyKeyFlags) {
func checkCertifyKeyBasicConstraints(t *testing.T, extensions []pkix.Extension, flags client.CertifyKeyFlags) {
t.Helper()

flagsBuf := &bytes.Buffer{}
Expand All @@ -389,7 +390,7 @@ func checkCertifyKeyBasicConstraints(t *testing.T, extensions []pkix.Extension,
t.Error(err)
}

flagIsCA := CertifyAddIsCA&flags != 0
flagIsCA := client.CertifyAddIsCA&flags != 0
if flagIsCA != bc.IsCA {
t.Errorf("[ERROR]: ADD_IS_CA is set to %v but the basic constraint IsCA is set to %v", flagIsCA, bc.IsCA)
}
Expand Down Expand Up @@ -470,15 +471,15 @@ func checkCertificateStructure(t *testing.T, certBytes []byte) *x509.Certificate
return x509Cert
}

func testCertifyKey(d TestDPEInstance, c DPEClient, t *testing.T, simulation bool) {
func testCertifyKey(d client.TestDPEInstance, c client.DPEClient, t *testing.T, simulation bool) {
handle := getInitialContextHandle(d, c, t, simulation)
defer func() {
if simulation {
c.DestroyContext(handle, DestroyDescendants)
c.DestroyContext(handle, client.DestroyDescendants)
}
}()

profile, err := GetTransportProfile(d)
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("Could not get profile: %v", err)
}
Expand All @@ -490,13 +491,13 @@ func testCertifyKey(d TestDPEInstance, c DPEClient, t *testing.T, simulation boo
}

certifyKeyParams := []CertifyKeyParams{
{Label: make([]byte, digestLen), Flags: CertifyKeyFlags(0)},
{Label: seqLabel, Flags: CertifyKeyFlags(0)},
{Label: make([]byte, digestLen), Flags: client.CertifyKeyFlags(0)},
{Label: seqLabel, Flags: client.CertifyKeyFlags(0)},
}

for _, params := range certifyKeyParams {
// Get DPE leaf certificate from CertifyKey
certifyKeyResp, err := c.CertifyKey(handle, params.Label, CertifyKeyX509, params.Flags)
certifyKeyResp, err := c.CertifyKey(handle, params.Label, client.CertifyKeyX509, params.Flags)
if err != nil {
t.Fatalf("[FATAL]: Could not certify key: %v", err)
}
Expand Down Expand Up @@ -624,16 +625,16 @@ func getKeyUsageNames(keyUsage x509.KeyUsage) []string {
return keyUsageNames
}

func checkPubKey(t *testing.T, p Profile, pubkey any, response CertifiedKey) {
func checkPubKey(t *testing.T, p client.Profile, pubkey any, response client.CertifiedKey) {
var pubKeyInResponse ecdsa.PublicKey
switch p {
case ProfileP256SHA256:
case client.ProfileP256SHA256:
pubKeyInResponse = ecdsa.PublicKey{
Curve: elliptic.P256(),
X: new(big.Int).SetBytes(response.Pub.X),
Y: new(big.Int).SetBytes(response.Pub.Y),
}
case ProfileP384SHA384:
case client.ProfileP384SHA384:
pubKeyInResponse = ecdsa.PublicKey{
Curve: elliptic.P384(),
X: new(big.Int).SetBytes(response.Pub.X),
Expand All @@ -654,8 +655,8 @@ func checkPubKey(t *testing.T, p Profile, pubkey any, response CertifiedKey) {
}

// Checks whether the context handle is unchanged after certifyKey command when default context handle is used.
func checkCertifyKeyRespHandle(res CertifiedKey, t *testing.T, handle *ContextHandle) {
if *handle != DefaultContextHandle {
func checkCertifyKeyRespHandle(res client.CertifiedKey, t *testing.T, handle *client.ContextHandle) {
if *handle != client.DefaultContextHandle {
t.Logf("[LOG]: Handle is not default context, skipping check...")
return
}
Expand Down
6 changes: 4 additions & 2 deletions verification/certs.go → verification/testing/certs.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ import (
"crypto/x509/pkix"
"encoding/asn1"
"fmt"

"github.com/chipsalliance/caliptra-dpe/verification/client"
)

// This file is used to test the certify key command.
Expand Down Expand Up @@ -128,7 +130,7 @@ func getKeyUsage(extensions []pkix.Extension) (x509.KeyUsage, error) {
return x509.KeyUsage(usage), nil
}

func getTcbInfoForHandle(c DPEClient, handle *ContextHandle) (*ContextHandle, DiceTcbInfo, error) {
func getTcbInfoForHandle(c client.DPEClient, handle *client.ContextHandle) (*client.ContextHandle, DiceTcbInfo, error) {
outHandle := handle

// Get digest size
Expand All @@ -140,7 +142,7 @@ func getTcbInfoForHandle(c DPEClient, handle *ContextHandle) (*ContextHandle, Di
digestLen := profile.Profile.GetDigestSize()
label := make([]byte, digestLen)

certifiedKey, err := c.CertifyKey(outHandle, label, CertifyKeyX509, 0)
certifiedKey, err := c.CertifyKey(outHandle, label, client.CertifyKeyX509, 0)
if err != nil {
return outHandle, DiceTcbInfo{}, fmt.Errorf("Could not certify key: %s", err)
}
Expand Down
20 changes: 11 additions & 9 deletions verification/extendTCI.go → verification/testing/extendTCI.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,19 +9,21 @@ import (
"hash"

"testing"

"github.com/chipsalliance/caliptra-dpe/verification/client"
)

// TestExtendTCI checks whether the ExtendTCI command updates the current TCI
// and cumulative TCI.
func TestExtendTCI(d TestDPEInstance, c DPEClient, t *testing.T) {
func TestExtendTCI(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
var err error
useSimulation := false // To indicate that simulation context is not used

// Get default context handle
handle := getInitialContextHandle(d, c, t, useSimulation)

// Get digest size
profile, err := GetTransportProfile(d)
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("[FATAL]: Could not get profile: %v", err)
}
Expand Down Expand Up @@ -64,14 +66,14 @@ func computeExpectedCumulative(lastCumulative []byte, tciValue []byte) []byte {

// TestExtendTciOnDerivedContexts checks whether the ExtendTCI command with
// derived child context.
func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T) {
func TestExtendTciOnDerivedContexts(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
useSimulation := false // To indicate that simulation context is not used

// Get default context handle
handle := getInitialContextHandle(d, c, t, useSimulation)

// Get digest size
profile, err := GetTransportProfile(d)
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("[FATAL]: Could not get profile: %v", err)
}
Expand All @@ -89,21 +91,21 @@ func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T
}

// Preserve parent context to restore for subsequent tests.
parentHandle, err := c.RotateContextHandle(handle, RotateContextHandleFlags(0))
parentHandle, err := c.RotateContextHandle(handle, client.RotateContextHandleFlags(0))
if err != nil {
t.Errorf("[ERROR]: Error while rotating parent context handle, this may cause failure in subsequent tests: %s", err)
}

// Change parent back to default context
defer func() {
_, err = c.RotateContextHandle(parentHandle, RotateContextHandleFlags(TargetIsDefault))
_, err = c.RotateContextHandle(parentHandle, client.RotateContextHandleFlags(client.TargetIsDefault))
if err != nil {
t.Errorf("[ERROR]: Error while restoring parent context handle as default context handle, this may cause failure in subsequent tests: %s", err)
}
}()

// Derive Child context with input data, tag it and check TCI_CUMULATIVE
childCtx, err := c.DeriveChild(parentHandle, tciValue, DeriveChildFlags(RetainParent|InputAllowX509), 0, 0)
childCtx, err := c.DeriveChild(parentHandle, tciValue, client.DeriveChildFlags(client.RetainParent|client.InputAllowX509), 0, 0)
if err != nil {
t.Fatalf("[FATAL]: Error while creating default child handle in default context: %s", err)
}
Expand All @@ -113,7 +115,7 @@ func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T

// Clean up contexts
defer func() {
err := c.DestroyContext(childHandle, DestroyDescendants)
err := c.DestroyContext(childHandle, client.DestroyDescendants)
if err != nil {
t.Errorf("[ERROR]: Error while cleaning up derived context, this may cause failure in subsequent tests: %s", err)
}
Expand Down Expand Up @@ -156,7 +158,7 @@ func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T
}
}

func verifyMeasurements(c DPEClient, t *testing.T, handle *ContextHandle, expectedCurrent []byte, expectedCumulative []byte) {
func verifyMeasurements(c client.DPEClient, t *testing.T, handle *client.ContextHandle, expectedCurrent []byte, expectedCumulative []byte) {
handle, tcbInfo, err := getTcbInfoForHandle(c, handle)
if err != nil {
t.Fatal(err)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,14 @@ import (
"fmt"
"testing"

"github.com/chipsalliance/caliptra-dpe/verification/client"
zx509 "github.com/zmap/zcrypto/x509"
zlint "github.com/zmap/zlint/v3"
"github.com/zmap/zlint/v3/lint"
)

// TestGetCertificateChain tests calling GetCertificateChain
func TestGetCertificateChain(d TestDPEInstance, client DPEClient, t *testing.T) {
func TestGetCertificateChain(d client.TestDPEInstance, client client.DPEClient, t *testing.T) {
certChain, err := client.GetCertificateChain()
if err != nil {
t.Fatalf("[FATAL]: Could not get Certificate Chain: %v", err)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,14 @@ package verification

import (
"testing"

"github.com/chipsalliance/caliptra-dpe/verification/client"
)

// This file is used to test the get profile command.

// TestGetProfile tests calling GetProfile
func TestGetProfile(d TestDPEInstance, client DPEClient, t *testing.T) {
func TestGetProfile(d client.TestDPEInstance, client client.DPEClient, t *testing.T) {
const minTCINodes uint32 = 8

for _, locality := range d.GetSupportedLocalities() {
Expand Down
5 changes: 4 additions & 1 deletion verification/go.mod → verification/testing/go.mod
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
module github.com/chipsalliance/caliptra-dpe/verification
module github.com/chipsalliance/caliptra-dpe/verification/testing

go 1.20

replace github.com/chipsalliance/caliptra-dpe/verification/client => ../client

require (
github.com/chipsalliance/caliptra-dpe/verification/client v0.0.0-00010101000000-000000000000
github.com/google/go-tpm v0.9.0
github.com/google/go-tpm-tools v0.4.1
github.com/zmap/zcrypto v0.0.0-20230422215203-9a665e1e9968
Expand Down
Loading

0 comments on commit 5e5dbd5

Please sign in to comment.