Documentation
¶
Overview ¶
Package verification provides verification tests for implementations of the DPE iRoT profile.
Index ¶
- Variables
- func GetSimulatorTarget(supportNeeded []string, targetExe string) client.TestDPEInstance
- func RunTargetTestCases(target TestTarget, t *testing.T)
- func TestAsymmetricSigning(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestCertifyKey(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestCertifyKeyCsr(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestCertifyKeySimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestChangeLocality(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestDeriveContext(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestDeriveContextRecursive(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestDeriveContextRecursiveOnDerivedContexts(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestDeriveContextSimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestGetCertificateChain(d client.TestDPEInstance, client client.DPEClient, t *testing.T)
- func TestGetProfile(d client.TestDPEInstance, client client.DPEClient, t *testing.T)
- func TestInitializeContext(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestInitializeSimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestInternalInputFlags(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestInvalidHandle(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestMaxTCIs(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestPrivilegesEscalation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestRotateContextHandle(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestRotateContextHandleSimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestSignSimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestSymmetricSigning(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestTpmPolicySigning(d dpe.TestDPEInstance, c dpe.DPEClient, t *testing.T)
- func TestUnsupportedCommand(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestUnsupportedCommandFlag(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- func TestWrongLocality(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
- type AuthorityKeyIdentifier
- type BasicConstraints
- type CertifyKeyParams
- type DiceTcbInfo
- type DpeTestFunc
- type Fwid
- type OperationalFlag
- type SubjectKeyIdentifier
- type TcgMultiTcbInfo
- type TcgUeidExtension
- type TestCase
- type TestTarget
Constants ¶
This section is empty.
Variables ¶
var ( OidExtensionSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14} OidExtensionKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 15} OidExtensionAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35} OidExtensionBasicConstraints = asn1.ObjectIdentifier{2, 5, 29, 19} OidExtensionExtKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37} OidExtensionTcgDiceUeid = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 4} OidExtensionTcgDiceMultiTcbInfo = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 5} OidExtensionTcgDiceKpIdentityInit = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 6} OidExtensionTcgDiceKpIdentityLoc = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 7} OidExtensionTcgDiceKpAttestInit = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 8} OidExtensionTcgDiceKpAttestLoc = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 9} OidExtensionTcgDiceKpAssertInit = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 10} OidExtensionTcgDiceKpAssertLoc = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 11} OidExtensionTcgDiceKpEca = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 12} OidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} OidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} )
This file is used to test the certify key command.
var AllTestCases = []TestCase{ CertifyKeyTestCase, CertifyKeyCsrTestCase, CertifyKeySimulationTestCase, GetCertificateChainTestCase, TpmPolicySigningTestCase, RotateContextTestCase, RotateContextSimulationTestCase, SignAsymmetricTestCase, SignSymmetricTestCase, SignSimulationTestCase, GetProfileTestCase, InitializeContextTestCase, InitializeContextSimulationTestCase, InvalidHandleTestCase, WrongLocalityTestCase, }
AllTestCases contains all DPE test cases
var CertifyKeyCsrTestCase = TestCase{ "CertifyKeyCsr", TestCertifyKeyCsr, []string{"AutoInit", "Csr", "IsCA"}, }
client.CertifyKeyCsrTestCase tests CertifyKey with type = CSR
var CertifyKeySimulationTestCase = TestCase{ "CertifyKeySimulation", TestCertifyKeySimulation, []string{"AutoInit", "Simulation", "X509", "IsCA"}, }
CertifyKeySimulationTestCase tests CertifyKey on Simulation mode contexts
var CertifyKeyTestCase = TestCase{ "CertifyKey", TestCertifyKey, []string{"AutoInit", "X509", "IsCA"}, }
CertifyKeyTestCase tests CertifyKey
var DeriveContextInputFlagsTestCase = TestCase{ "DeriveContext_InputFlagsSupport", TestInternalInputFlags, []string{"AutoInit", "InternalDice", "InternalInfo"}, }
DeriveContextInputFlagsTestCase tests DeriveContext with the input flags InternalDiceInfo and InternalInputInfo.
var DeriveContextLocalityTestCase = TestCase{ "DeriveContext_ChangeLocality", TestChangeLocality, []string{"AutoInit"}, }
DeriveContextLocalityTestCase tests DerivedContext with the ChangeLocality flag.
var DeriveContextMaxTCIsTestCase = TestCase{ "DeriveContext_MaxTCIs", TestMaxTCIs, []string{"AutoInit"}, }
DeriveContextMaxTCIsTestCase checks whether the number of derived contexts is limited by MAX_TCI_NODES attribute of the profile
var DeriveContextPrivilegeEscalationTestCase = TestCase{ "DeriveContext_PrivilegeEscalation", TestPrivilegesEscalation, []string{"AutoInit", "X509", "IsCA"}, }
DeriveContextPrivilegeEscalationTestCase tests that commands trying to use features that are unsupported by child context fail.
var DeriveContextRecursiveOnDerivedContextsTestCase = TestCase{ "DeriveContext_RecursiveOnDerivedContexts", TestDeriveContextRecursiveOnDerivedContexts, []string{"AutoInit", "Recursive", "RetainParentContext", "X509", "RotateContext"}, }
DeriveContextRecursiveOnDerivedContextsTestCase tests DeriveContext with the Recursive input flag on derived contexts
var DeriveContextRecursiveTestCase = TestCase{ "DeriveContext_Recursive", TestDeriveContextRecursive, []string{"AutoInit", "Recursive", "X509"}, }
DeriveContextRecursiveTestCase tests DeriveContext with the Recursive input flag
var DeriveContextSimulationTestCase = TestCase{ "DeriveContextSimulation", TestDeriveContextSimulation, []string{"AutoInit", "Simulation", "X509", "InternalDice", "InternalInfo", "RetainParentContext"}, }
DeriveContextSimulationTestCase tests DeriveContext with Simulation contexts
var DeriveContextTestCase = TestCase{ "DeriveContext", TestDeriveContext, []string{"AutoInit", "RetainParentContext"}, }
DeriveContextTestCase tests DeriveContext
var GetCertificateChainTestCase = TestCase{ "GetCertificateChain", TestGetCertificateChain, []string{"AutoInit", "X509"}, }
GetCertificateChainTestCase tests GetCertificateChain
var GetProfileTestCase = TestCase{ "GetProfile", TestGetProfile, []string{}, }
GetProfileTestCase tests GetProfile
var InitializeContextSimulationTestCase = TestCase{ "InitializeContextSimulation", TestInitializeSimulation, []string{"Simulation"}, }
InitializeContextSimulationTestCase tests InitializeContext in simulation mode
var InitializeContextTestCase = TestCase{ "InitializeContext", TestInitializeContext, []string{}, }
InitializeContextTestCase tests InitializeContext
var InvalidHandle = client.ContextHandle{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}
InvalidHandle is a sample DPE handle which is very unlikely to be valid
var InvalidHandleTestCase = TestCase{ "CheckInvalidHandle", TestInvalidHandle, []string{"Simulation", "RotateContext"}, }
InvalidHandleTestCase tests various commands with invalid context handles
var IrreversibleTestCases = []TestCase{ DeriveContextTestCase, DeriveContextLocalityTestCase, DeriveContextPrivilegeEscalationTestCase, DeriveContextMaxTCIsTestCase, DeriveContextRecursiveTestCase, DeriveContextRecursiveOnDerivedContextsTestCase, }
var RotateContextSimulationTestCase = TestCase{ "RotateContextHandleSimulation", TestRotateContextHandleSimulation, []string{"Simulation", "RotateContext"}, }
RotateContextSimulationTestCase tests RotateContext with Simulation contexts
var RotateContextTestCase = TestCase{ "RotateContextHandle", TestRotateContextHandle, []string{"AutoInit", "RotateContext"}, }
RotateContextTestCase tests RotateContext
var SignAsymmetricTestCase = TestCase{ "Sign", TestAsymmetricSigning, []string{"AutoInit", "X509"}, }
SignAsymmetricTestCase tests Sign
var SignSimulationTestCase = TestCase{ "SignSimulation", TestSignSimulation, []string{"Simulation"}, }
SignSimulationTestCase tests Sign with Simulation contexts
var SignSymmetricTestCase = TestCase{ "SignSymmetric", TestSymmetricSigning, []string{"AutoInit", "IsSymmetric"}, }
SignSymmetricTestCase tests Sign with is-symmetric = true
var TargetExe *string
TargetExe is the simulator executable to use for this test target
var TcgDiceCriticalExtensions = [...]string{ OidExtensionTcgDiceMultiTcbInfo.String(), OidExtensionTcgDiceUeid.String(), }
TcgDiceCriticalExtensions are the OIDs of DICE extensions which must be marked as critical
var TcgDiceExtendedKeyUsages = [...]string{ OidExtensionTcgDiceKpIdentityLoc.String(), OidExtensionTcgDiceKpAttestLoc.String(), }
TcgDiceExtendedKeyUsages are the DICE OIDs expected to be present in the DPE leaf EKU extension
var TpmPolicySigningTestCase = TestCase{ "TPMPolicySigning", TestTpmPolicySigning, []string{"AutoInit", "X509"}, }
TpmPolicySigningTestCase tests using DPE to satisfy TPM PolicySigned
var UnsupportedCommand = TestCase{ "CheckSupportForCommand", TestUnsupportedCommand, []string{"AutoInit"}, }
UnsupportedCommand tests calling unsupported commands
var UnsupportedCommandFlag = TestCase{ "CheckSupportForCommandFlag", TestUnsupportedCommandFlag, []string{"AutoInit", "RotateContext"}, }
UnsupportedCommandFlag tests calling unsupported commands flags
var WrongLocalityTestCase = TestCase{ "CheckWrongLocality", TestWrongLocality, []string{"AutoInit", "RotateContext"}, }
WrongLocalityTestCase tests various commands with invalid localities
Functions ¶
func GetSimulatorTarget ¶
func GetSimulatorTarget(supportNeeded []string, targetExe string) client.TestDPEInstance
GetSimulatorTarget gets the simulator target
func RunTargetTestCases ¶
func RunTargetTestCases(target TestTarget, t *testing.T)
RunTargetTestCases runs all test cases for target
func TestAsymmetricSigning ¶
TestAsymmetricSigning obtains and validates signature of asymmetric signing. Check whether the digital signature returned by Sign command can be verified using public key in signing key certificate returned by CertifyKey command. Inspite of the DPE profile supporting symmetric key, for symmetric signing it must be enabled explicitly in Sign command flags. Else asymmetric signing is used as default.
func TestCertifyKey ¶
TestCertifyKey tests calling CertifyKey
func TestCertifyKeyCsr ¶
Testclient.CertifyKeyCsr tests calling CeritifyKey with type = CSR
func TestCertifyKeySimulation ¶
TestCertifyKeySimulation tests calling CertifyKey on simulation contexts
func TestChangeLocality ¶
Validates DerivedChild command with ChangeLocality flag.
func TestDeriveContext ¶
func TestDeriveContextRecursive ¶
TestDeriveContextRecursive checks whether the DeriveContext command updates the current TCI and cumulative TCI when the recursive flag is set.
func TestDeriveContextRecursiveOnDerivedContexts ¶
func TestDeriveContextRecursiveOnDerivedContexts(d client.TestDPEInstance, c client.DPEClient, t *testing.T)
TestDeriveContextRecursiveOnDerivedContexts tests the DeriveContext command with the recursive flag on derived child contexts.
func TestGetCertificateChain ¶
TestGetCertificateChain tests calling GetCertificateChain
func TestGetProfile ¶
TestGetProfile tests calling GetProfile
func TestInitializeContext ¶
TestInitializeContext tests calling InitializeContext
func TestInitializeSimulation ¶
TestInitializeSimulation tests calling InitializeContext simulation mode
func TestInternalInputFlags ¶
Checks whether the DeriveContext input flags - InternalDiceInfo, InternalInputInfo are supported while creating child contexts when these features are supported in DPE profile.
func TestInvalidHandle ¶
TestInvalidHandle checks whether error is reported when non-existent handle is passed as input to DPE commands. Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands which do not need context handle as input parameter.
func TestMaxTCIs ¶
Checks whether the number of derived contexts (TCI nodes) are limited by MAX_TCI_NODES attribute of the profile
func TestPrivilegesEscalation ¶
Checks the privilege escalation of child When commands try to make use of features that are unsupported by child context, they fail.
func TestRotateContextHandle ¶
TestRotateContextHandle tests the RotateContextHandle command
func TestRotateContextHandleSimulation ¶
TestRotateContextHandleSimulation tests calling RotateContextHandle on simulation contexts
func TestSignSimulation ¶
TestSignSimulation cheks command fails in simulated context because this context does not allow signing. This is because simulation context does not allow using context's private key.
func TestSymmetricSigning ¶
TestSymmetricSigning obtains HMAC (symmetric signature) generated and compares for varying label inputs. Signature created is deterministic and depends on label passed to command. This is because label is used by DPE in symmetric key derivation. Invoking Sign command multiple times with same label and same content (TBS) should return same signature but it should return different signatures for different labels despite having the same content (To Be Signed content).
func TestTpmPolicySigning ¶
TestTpmPolicySigning tests using DPE to satisfy TPM PolicySigned
func TestUnsupportedCommand ¶
TestUnsupportedCommand checks whether error is reported while using commands that are turned off in DPE. DPE commands - RotateContextHandle requires support to be enabled in DPE profile before being called.
func TestUnsupportedCommandFlag ¶
TestUnsupportedCommandFlag checks whether error is reported while enabling command flags that are turned off in DPE. The DPE command may be available but some of its flags may not be supported by DPE. DPE profile supports the below attributes. Simulation : Allows caller to request for context initialization in simulation mode IsCA : Allows caller to request the key cert of CA Csr : Allows caller to request the key cert in CSR format X509 : Allows caller to request the key cert in X509 format IsSymmetric : Allows caller to request for symmetric signing InternalInfo : Allows caller to derive child context with InternalInfo InternalDice : Allows caller to derive child context with InternalDice
func TestWrongLocality ¶
TestWrongLocality checks whether error is reported when caller from one locality issues DPE commands in another locality. Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands which do not need context handle as input and hence locality is irrelevant.
Types ¶
type AuthorityKeyIdentifier ¶
type AuthorityKeyIdentifier struct {
KeyIdentifier []byte `asn1:"optional,tag:0"`
}
type BasicConstraints ¶
BasicConstraints represents an X.509 BasicConstraints extension
type CertifyKeyParams ¶
type CertifyKeyParams struct {
Label []byte
Flags client.CertifyKeyFlags
}
CertifyKeyParams holds configurable parameters to CertifyKey for test-cases
type DiceTcbInfo ¶
type DiceTcbInfo struct {
Vendor string `asn1:"optional,tag:0,utf8"`
Model string `asn1:"optional,tag:1,utf8"`
Version string `asn1:"optional,tag:2,utf8"`
SVN int `asn1:"optional,tag:3"`
Layer int `asn1:"optional,tag:4"`
Index int `asn1:"optional,tag:5"`
Fwids []Fwid `asn1:"optional,tag:6"`
Flags OperationalFlag `asn1:"optional,tag:7"`
VendorInfo []byte `asn1:"optional,tag:8"`
Type []byte `asn1:"optional,tag:9"`
}
DiceTcbInfo represents the following ASN.1 structures tcg-dice-MultiTcbInfo OBJECT IDENTIFIER ::= {tcg-dice 5} DiceTcbInfoSeq ::= SEQUENCE SIZE (1..MAX) OF DiceTcbInfo
tcg-dice-TcbInfo OBJECT IDENTIFIER ::= {tcg-dice 1}
DiceTcbInfo ::== SEQUENCE {
vendor [0] IMPLICIT UTF8String OPTIONAL,
model [1] IMPLICIT UTF8String OPTIONAL,
version [2] IMPLICIT UTF8String OPTIONAL,
svn [3] IMPLICIT INTEGER OPTIONAL,
layer [4] IMPLICIT INTEGER OPTIONAL,
index [5] IMPLICIT INTEGER OPTIONAL,
fwids [6] IMPLICIT FWIDLIST OPTIONAL,
flags [7] IMPLICIT OperationalFlags OPTIONAL,
vendorInfo [8] IMPLICIT OCTET STRING OPTIONAL,
type [9] IMPLICIT OCTET STRING OPTIONAL,
}
FWIDLIST ::== SEQUENCE SIZE (1..MAX) OF FWID
FWID ::== SEQUENCE {
hashAlg OBJECT IDENTIFIER,
digest OCTET STRING
}
OperationalFlags ::= BIT STRING {
notConfigured (0),
notSecure (1),
recovery (2),
debug (3)
}
type DpeTestFunc ¶
DpeTestFunc is the function template that a DPE test case must implement
type Fwid ¶
type Fwid struct {
HashAlg asn1.ObjectIdentifier
Digest []byte
}
Fwid represents a TCG DICE FWID structure
type OperationalFlag ¶
type OperationalFlag int
OperationalFlag represents the TCBInfo Operational Flags field
const ( NotConfigured OperationalFlag = iota NotSecure Debug Recovery )
TCG spec-defined operational flags
type SubjectKeyIdentifier ¶
type SubjectKeyIdentifier = []byte
type TcgMultiTcbInfo ¶
type TcgMultiTcbInfo = []DiceTcbInfo
TcgMultiTcbInfo represents a sequence of TCBInfos
type TcgUeidExtension ¶
type TcgUeidExtension struct {
Ueid []uint8 `asn1:"ueid,implicit"`
}
TcgUeidExtension is tcg-dice-Ueid OBJECT IDENTIFIER ::= {tcg-dice 4}
TcgUeid ::== SEQUENCE {
ueid OCTET STRING
}
type TestCase ¶
type TestCase struct {
Name string
Run DpeTestFunc
SupportNeeded []string
}
TestCase is metadata for a DPE test case
type TestTarget ¶
type TestTarget struct {
Name string
D client.TestDPEInstance
TestCases []TestCase
}
TestTarget is a client.TestDPEInstance and corresponding list of test cases to run against that target.
func GetSimulatorTargets ¶
func GetSimulatorTargets() []TestTarget
GetSimulatorTargets gets different simulator targets with different support vectors to run the verification tests against
Source Files