Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move Go verification tests and client to separate packages #296

Merged
merged 1 commit into from
Jan 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ function run_verification_tests() {

cargo build --manifest-path simulator/Cargo.toml --features=$profile,$crypto --no-default-features

( cd verification
( cd verification/testing
go test -v
)
}
Expand Down
5 changes: 3 additions & 2 deletions verification/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# DPE Verification Tests

This test suite is a userspace test-suite which exercises DPE commands
end-to-end and ensures compliance with the DPE iRoT Profile.
* client: A generic Golang DPE client library
* testing: A userspace test suite which exercises DPE commands end-to-end and
ensures compliance with the DPE iRoT Profile.
2 changes: 1 addition & 1 deletion verification/abi.go → verification/client/abi.go
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import (
"fmt"
Expand Down
2 changes: 1 addition & 1 deletion verification/client.go → verification/client/client.go
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import (
"fmt"
Expand Down
2 changes: 1 addition & 1 deletion verification/errors.go → verification/client/errors.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import "fmt"

Expand Down
3 changes: 3 additions & 0 deletions verification/client/go.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
module github.com/chipsalliance/caliptra-dpe/verification/client

go 1.20
2 changes: 1 addition & 1 deletion verification/helpers.go → verification/client/helpers.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import (
"bytes"
Expand Down
2 changes: 1 addition & 1 deletion verification/profile.go → verification/client/profile.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import "fmt"

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Licensed under the Apache-2.0 license

package verification
package client

import (
"reflect"
Expand Down
47 changes: 24 additions & 23 deletions verification/certifyKey.go → verification/testing/certifyKey.go
100755 → 100644
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (

"go.mozilla.org/pkcs7"

"github.com/chipsalliance/caliptra-dpe/verification/client"
zx509 "github.com/zmap/zcrypto/x509"
zlint "github.com/zmap/zlint/v3"
"github.com/zmap/zlint/v3/lint"
Expand Down Expand Up @@ -117,34 +118,34 @@ type TcgMultiTcbInfo = []DiceTcbInfo
// CertifyKeyParams holds configurable parameters to CertifyKey for test-cases
type CertifyKeyParams struct {
Label []byte
Flags CertifyKeyFlags
Flags client.CertifyKeyFlags
}

// TestCertifyKey tests calling CertifyKey
func TestCertifyKey(d TestDPEInstance, c DPEClient, t *testing.T) {
func TestCertifyKey(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
testCertifyKey(d, c, t, false)
}

// TestCertifyKeySimulation tests calling CertifyKey on simulation contexts
func TestCertifyKeySimulation(d TestDPEInstance, c DPEClient, t *testing.T) {
func TestCertifyKeySimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
testCertifyKey(d, c, t, true)
}

// TestCertifyKeyCsr tests calling CeritifyKey with type = CSR
func TestCertifyKeyCsr(d TestDPEInstance, c DPEClient, t *testing.T) {
// Testclient.CertifyKeyCsr tests calling CeritifyKey with type = CSR
func TestCertifyKeyCsr(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
ctx := getInitialContextHandle(d, c, t, false)

profile, err := GetTransportProfile(d)
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("Could not get profile: %v", err)
}
digestLen := profile.GetDigestSize()

flags := CertifyKeyFlags(0)
flags := client.CertifyKeyFlags(0)
label := make([]byte, digestLen)

// Get DPE leaf certificate from CertifyKey
certifyKeyResp, err := c.CertifyKey(ctx, label, CertifyKeyCsr, flags)
certifyKeyResp, err := c.CertifyKey(ctx, label, client.CertifyKeyCsr, flags)
if err != nil {
t.Fatalf("[FATAL]: Could not certify key: %v", err)
}
Expand All @@ -163,7 +164,7 @@ func TestCertifyKeyCsr(d TestDPEInstance, c DPEClient, t *testing.T) {
lastCertInCertChain := certChain[len(certChain)-1]

// Get DPE leaf cert
certifyKeyResp, err = c.CertifyKey(ctx, label, CertifyKeyX509, flags)
certifyKeyResp, err = c.CertifyKey(ctx, label, client.CertifyKeyX509, flags)
if err != nil {
t.Fatalf("[FATAL]: Could not certify key: %v", err)
}
Expand Down Expand Up @@ -333,7 +334,7 @@ func checkCertifyKeyExtendedKeyUsages(t *testing.T, extensions []pkix.Extension,
// Checks for KeyUsage Extension as per spec
// If IsCA = true, KeyUsage extension MUST contain DigitalSignature and KeyCertSign
// If IsCA = false, KeyUsage extension MUST contain only DigitalSignature
func checkCertifyKeyExtensions(t *testing.T, extensions []pkix.Extension, flags CertifyKeyFlags, label []byte) {
func checkCertifyKeyExtensions(t *testing.T, extensions []pkix.Extension, flags client.CertifyKeyFlags, label []byte) {
t.Helper()

bc, err := getBasicConstraints(extensions)
Expand Down Expand Up @@ -378,7 +379,7 @@ func checkCertifyKeyExtensions(t *testing.T, extensions []pkix.Extension, flags
// The BasicConstraints extension MUST be included
// If CertifyKey AddIsCA is set, IsCA MUST be set to true.
// If CertifyKey AddIsCA is NOT set, IsCA MUST be set to false
func checkCertifyKeyBasicConstraints(t *testing.T, extensions []pkix.Extension, flags CertifyKeyFlags) {
func checkCertifyKeyBasicConstraints(t *testing.T, extensions []pkix.Extension, flags client.CertifyKeyFlags) {
t.Helper()

flagsBuf := &bytes.Buffer{}
Expand All @@ -389,7 +390,7 @@ func checkCertifyKeyBasicConstraints(t *testing.T, extensions []pkix.Extension,
t.Error(err)
}

flagIsCA := CertifyAddIsCA&flags != 0
flagIsCA := client.CertifyAddIsCA&flags != 0
if flagIsCA != bc.IsCA {
t.Errorf("[ERROR]: ADD_IS_CA is set to %v but the basic constraint IsCA is set to %v", flagIsCA, bc.IsCA)
}
Expand Down Expand Up @@ -470,15 +471,15 @@ func checkCertificateStructure(t *testing.T, certBytes []byte) *x509.Certificate
return x509Cert
}

func testCertifyKey(d TestDPEInstance, c DPEClient, t *testing.T, simulation bool) {
func testCertifyKey(d client.TestDPEInstance, c client.DPEClient, t *testing.T, simulation bool) {
handle := getInitialContextHandle(d, c, t, simulation)
defer func() {
if simulation {
c.DestroyContext(handle, DestroyDescendants)
c.DestroyContext(handle, client.DestroyDescendants)
}
}()

profile, err := GetTransportProfile(d)
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("Could not get profile: %v", err)
}
Expand All @@ -490,13 +491,13 @@ func testCertifyKey(d TestDPEInstance, c DPEClient, t *testing.T, simulation boo
}

certifyKeyParams := []CertifyKeyParams{
{Label: make([]byte, digestLen), Flags: CertifyKeyFlags(0)},
{Label: seqLabel, Flags: CertifyKeyFlags(0)},
{Label: make([]byte, digestLen), Flags: client.CertifyKeyFlags(0)},
{Label: seqLabel, Flags: client.CertifyKeyFlags(0)},
}

for _, params := range certifyKeyParams {
// Get DPE leaf certificate from CertifyKey
certifyKeyResp, err := c.CertifyKey(handle, params.Label, CertifyKeyX509, params.Flags)
certifyKeyResp, err := c.CertifyKey(handle, params.Label, client.CertifyKeyX509, params.Flags)
if err != nil {
t.Fatalf("[FATAL]: Could not certify key: %v", err)
}
Expand Down Expand Up @@ -624,16 +625,16 @@ func getKeyUsageNames(keyUsage x509.KeyUsage) []string {
return keyUsageNames
}

func checkPubKey(t *testing.T, p Profile, pubkey any, response CertifiedKey) {
func checkPubKey(t *testing.T, p client.Profile, pubkey any, response client.CertifiedKey) {
var pubKeyInResponse ecdsa.PublicKey
switch p {
case ProfileP256SHA256:
case client.ProfileP256SHA256:
pubKeyInResponse = ecdsa.PublicKey{
Curve: elliptic.P256(),
X: new(big.Int).SetBytes(response.Pub.X),
Y: new(big.Int).SetBytes(response.Pub.Y),
}
case ProfileP384SHA384:
case client.ProfileP384SHA384:
pubKeyInResponse = ecdsa.PublicKey{
Curve: elliptic.P384(),
X: new(big.Int).SetBytes(response.Pub.X),
Expand All @@ -654,8 +655,8 @@ func checkPubKey(t *testing.T, p Profile, pubkey any, response CertifiedKey) {
}

// Checks whether the context handle is unchanged after certifyKey command when default context handle is used.
func checkCertifyKeyRespHandle(res CertifiedKey, t *testing.T, handle *ContextHandle) {
if *handle != DefaultContextHandle {
func checkCertifyKeyRespHandle(res client.CertifiedKey, t *testing.T, handle *client.ContextHandle) {
if *handle != client.DefaultContextHandle {
t.Logf("[LOG]: Handle is not default context, skipping check...")
return
}
Expand Down
6 changes: 4 additions & 2 deletions verification/certs.go → verification/testing/certs.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ import (
"crypto/x509/pkix"
"encoding/asn1"
"fmt"

"github.com/chipsalliance/caliptra-dpe/verification/client"
)

// This file is used to test the certify key command.
Expand Down Expand Up @@ -128,7 +130,7 @@ func getKeyUsage(extensions []pkix.Extension) (x509.KeyUsage, error) {
return x509.KeyUsage(usage), nil
}

func getTcbInfoForHandle(c DPEClient, handle *ContextHandle) (*ContextHandle, DiceTcbInfo, error) {
func getTcbInfoForHandle(c client.DPEClient, handle *client.ContextHandle) (*client.ContextHandle, DiceTcbInfo, error) {
outHandle := handle

// Get digest size
Expand All @@ -140,7 +142,7 @@ func getTcbInfoForHandle(c DPEClient, handle *ContextHandle) (*ContextHandle, Di
digestLen := profile.Profile.GetDigestSize()
label := make([]byte, digestLen)

certifiedKey, err := c.CertifyKey(outHandle, label, CertifyKeyX509, 0)
certifiedKey, err := c.CertifyKey(outHandle, label, client.CertifyKeyX509, 0)
if err != nil {
return outHandle, DiceTcbInfo{}, fmt.Errorf("Could not certify key: %s", err)
}
Expand Down
20 changes: 11 additions & 9 deletions verification/extendTCI.go → verification/testing/extendTCI.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,19 +9,21 @@ import (
"hash"

"testing"

"github.com/chipsalliance/caliptra-dpe/verification/client"
)

// TestExtendTCI checks whether the ExtendTCI command updates the current TCI
// and cumulative TCI.
func TestExtendTCI(d TestDPEInstance, c DPEClient, t *testing.T) {
func TestExtendTCI(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
var err error
useSimulation := false // To indicate that simulation context is not used

// Get default context handle
handle := getInitialContextHandle(d, c, t, useSimulation)

// Get digest size
profile, err := GetTransportProfile(d)
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("[FATAL]: Could not get profile: %v", err)
}
Expand Down Expand Up @@ -64,14 +66,14 @@ func computeExpectedCumulative(lastCumulative []byte, tciValue []byte) []byte {

// TestExtendTciOnDerivedContexts checks whether the ExtendTCI command with
// derived child context.
func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T) {
func TestExtendTciOnDerivedContexts(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
useSimulation := false // To indicate that simulation context is not used

// Get default context handle
handle := getInitialContextHandle(d, c, t, useSimulation)

// Get digest size
profile, err := GetTransportProfile(d)
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("[FATAL]: Could not get profile: %v", err)
}
Expand All @@ -89,21 +91,21 @@ func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T
}

// Preserve parent context to restore for subsequent tests.
parentHandle, err := c.RotateContextHandle(handle, RotateContextHandleFlags(0))
parentHandle, err := c.RotateContextHandle(handle, client.RotateContextHandleFlags(0))
if err != nil {
t.Errorf("[ERROR]: Error while rotating parent context handle, this may cause failure in subsequent tests: %s", err)
}

// Change parent back to default context
defer func() {
_, err = c.RotateContextHandle(parentHandle, RotateContextHandleFlags(TargetIsDefault))
_, err = c.RotateContextHandle(parentHandle, client.RotateContextHandleFlags(client.TargetIsDefault))
if err != nil {
t.Errorf("[ERROR]: Error while restoring parent context handle as default context handle, this may cause failure in subsequent tests: %s", err)
}
}()

// Derive Child context with input data, tag it and check TCI_CUMULATIVE
childCtx, err := c.DeriveChild(parentHandle, tciValue, DeriveChildFlags(RetainParent|InputAllowX509), 0, 0)
childCtx, err := c.DeriveChild(parentHandle, tciValue, client.DeriveChildFlags(client.RetainParent|client.InputAllowX509), 0, 0)
if err != nil {
t.Fatalf("[FATAL]: Error while creating default child handle in default context: %s", err)
}
Expand All @@ -113,7 +115,7 @@ func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T

// Clean up contexts
defer func() {
err := c.DestroyContext(childHandle, DestroyDescendants)
err := c.DestroyContext(childHandle, client.DestroyDescendants)
if err != nil {
t.Errorf("[ERROR]: Error while cleaning up derived context, this may cause failure in subsequent tests: %s", err)
}
Expand Down Expand Up @@ -156,7 +158,7 @@ func TestExtendTciOnDerivedContexts(d TestDPEInstance, c DPEClient, t *testing.T
}
}

func verifyMeasurements(c DPEClient, t *testing.T, handle *ContextHandle, expectedCurrent []byte, expectedCumulative []byte) {
func verifyMeasurements(c client.DPEClient, t *testing.T, handle *client.ContextHandle, expectedCurrent []byte, expectedCumulative []byte) {
handle, tcbInfo, err := getTcbInfoForHandle(c, handle)
if err != nil {
t.Fatal(err)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,14 @@ import (
"fmt"
"testing"

"github.com/chipsalliance/caliptra-dpe/verification/client"
zx509 "github.com/zmap/zcrypto/x509"
zlint "github.com/zmap/zlint/v3"
"github.com/zmap/zlint/v3/lint"
)

// TestGetCertificateChain tests calling GetCertificateChain
func TestGetCertificateChain(d TestDPEInstance, client DPEClient, t *testing.T) {
func TestGetCertificateChain(d client.TestDPEInstance, client client.DPEClient, t *testing.T) {
certChain, err := client.GetCertificateChain()
if err != nil {
t.Fatalf("[FATAL]: Could not get Certificate Chain: %v", err)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,14 @@ package verification

import (
"testing"

"github.com/chipsalliance/caliptra-dpe/verification/client"
)

// This file is used to test the get profile command.

// TestGetProfile tests calling GetProfile
func TestGetProfile(d TestDPEInstance, client DPEClient, t *testing.T) {
func TestGetProfile(d client.TestDPEInstance, client client.DPEClient, t *testing.T) {
const minTCINodes uint32 = 8

for _, locality := range d.GetSupportedLocalities() {
Expand Down
5 changes: 4 additions & 1 deletion verification/go.mod → verification/testing/go.mod
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
module github.com/chipsalliance/caliptra-dpe/verification
module github.com/chipsalliance/caliptra-dpe/verification/testing

go 1.20

replace github.com/chipsalliance/caliptra-dpe/verification/client => ../client

require (
github.com/chipsalliance/caliptra-dpe/verification/client v0.0.0-00010101000000-000000000000
github.com/google/go-tpm v0.9.0
github.com/google/go-tpm-tools v0.4.1
github.com/zmap/zcrypto v0.0.0-20230422215203-9a665e1e9968
Expand Down
Loading