Update the unseal flow to support additional capabilities.
The Message Unseal command was updated to support: - ECDH seeds - Sealing to multiple PCRs - Different RSA padding schemes The Cerberus protocol version was updated to version 3.
This commit is contained in:
Christopher Weimer
Родитель
a7cf297eca
Коммит
59c328b5c0
|
|
@ -226,46 +226,27 @@ cleanup:
|
|||
}
|
||||
|
||||
static int attestation_aux_attestation_unseal (struct attestation_slave *attestation,
|
||||
struct hash_engine *hash, const uint8_t *seed, size_t seed_length, const uint8_t *hmac,
|
||||
const uint8_t *ciphertext, size_t cipher_length, const uint8_t *sealing, uint8_t *key,
|
||||
size_t key_length, uint8_t platform_pcr)
|
||||
struct hash_engine *hash, enum aux_attestation_key_length key_type, const uint8_t *seed,
|
||||
size_t seed_length, enum aux_attestation_seed_type seed_type,
|
||||
enum aux_attestation_seed_padding seed_padding, const uint8_t *hmac, enum hmac_hash hmac_type,
|
||||
const uint8_t *ciphertext, size_t cipher_length, const uint8_t sealing[][64], size_t pcr_count,
|
||||
uint8_t *key, size_t key_length)
|
||||
{
|
||||
uint8_t measurement[PCR_DIGEST_LENGTH];
|
||||
uint8_t *encryption_key = NULL;
|
||||
size_t encryption_key_len = 0;
|
||||
int status;
|
||||
|
||||
if ((attestation == NULL) || (key == NULL) || (key_length == 0) || (hash == NULL)) {
|
||||
if (attestation == NULL) {
|
||||
return ATTESTATION_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
status = pcr_store_compute (attestation->pcr_store, hash, platform_pcr, measurement);
|
||||
if (ROT_IS_ERROR (status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
status = aux_attestation_unseal (attestation->aux, hash, seed, seed_length, hmac,
|
||||
ciphertext, cipher_length, sealing, measurement, &encryption_key, &encryption_key_len);
|
||||
if (status != 0) {
|
||||
return status;
|
||||
}
|
||||
|
||||
if (encryption_key_len > key_length) {
|
||||
platform_free (encryption_key);
|
||||
return ATTESTATION_BUF_TOO_SMALL;
|
||||
}
|
||||
|
||||
memcpy (key, encryption_key, encryption_key_len);
|
||||
|
||||
platform_free (encryption_key);
|
||||
|
||||
return encryption_key_len;
|
||||
return aux_attestation_unseal (attestation->aux, hash, attestation->pcr_store, key_type, seed,
|
||||
seed_length, seed_type, seed_padding, hmac, hmac_type, ciphertext, cipher_length, sealing,
|
||||
pcr_count, key, key_length);
|
||||
}
|
||||
|
||||
static int attestation_aux_attestation_unseal_unsupported (
|
||||
struct attestation_slave *attestation, struct hash_engine *hash, const uint8_t *seed,
|
||||
size_t seed_length, const uint8_t *hmac, const uint8_t *ciphertext, size_t cipher_length,
|
||||
const uint8_t *sealing, uint8_t *key, size_t key_length, uint8_t platform_pcr)
|
||||
static int attestation_aux_attestation_unseal_unsupported (struct attestation_slave *attestation,
|
||||
struct hash_engine *hash, enum aux_attestation_key_length key_type, const uint8_t *seed,
|
||||
size_t seed_length, enum aux_attestation_seed_type seed_type,
|
||||
enum aux_attestation_seed_padding seed_padding, const uint8_t *hmac, enum hmac_hash hmac_type,
|
||||
const uint8_t *ciphertext, size_t cipher_length, const uint8_t sealing[][64], size_t pcr_count,
|
||||
uint8_t *key, size_t key_length)
|
||||
{
|
||||
return ATTESTATION_UNSUPPORTED_OPERATION;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -59,23 +59,31 @@ struct attestation_slave {
|
|||
* Unseal an encryption key for auxiliary attestation flows.
|
||||
*
|
||||
* @param attestation The slave attestation manager interface to utilize.
|
||||
* @param hash Hashing engine to utilize.
|
||||
* @param seed The request seed encrypted with the attestation public key.
|
||||
* @param seed_length The length of the request seed.
|
||||
* @param hmac The HMAC for the attestation request. This is an HMAC-SHA256 value.
|
||||
* @param hash The hash engine to use for unsealing.
|
||||
* @param key_type The length of the encryption and signing keys that will be generated.
|
||||
* @param seed The obfuscated seed to use for key derivation.
|
||||
* @param seed_length The length of the obfuscated seed.
|
||||
* @param seed_type The method to use for determining the KDF seed.
|
||||
* @param seed_padding The type of padding used to encrypt the seed. For ECDH seeds, this value
|
||||
* does not matter and can be anything.
|
||||
* @param hmac HMAC of the ciphertext and sealing data using the signing key.
|
||||
* @param hmac_type The type of HMAC used.
|
||||
* @param ciphertext The encrypted attestation data.
|
||||
* @param cipher_length Length of the encrypted data.
|
||||
* @param sealing A 64-byte sealing value for the attestation data.
|
||||
* @param sealing A list of 64-byte sealing values for the attestation data.
|
||||
* @param pcr_count The number of PCRs used for sealing.
|
||||
* @param key Output for the unsealed encryption key that will decrypt the attestation data.
|
||||
* @param key_length Length of the key buffer.
|
||||
* @param platform_pcr PCR to utilize for platform measurement.
|
||||
* @param key_length Length of the encryption key buffer. This must be large enough to support
|
||||
* the requested key length.
|
||||
*
|
||||
* @return Encryption key length if the unsealing was successful or an error code.
|
||||
* @return 0 if the unsealing was successful or an error code.
|
||||
*/
|
||||
int (*aux_attestation_unseal) (struct attestation_slave *attestation, struct hash_engine *hash,
|
||||
const uint8_t *seed, size_t seed_length, const uint8_t *hmac, const uint8_t *ciphertext,
|
||||
size_t cipher_length, const uint8_t *sealing, uint8_t *key, size_t key_length,
|
||||
uint8_t platform_pcr);
|
||||
enum aux_attestation_key_length key_type, const uint8_t *seed, size_t seed_length,
|
||||
enum aux_attestation_seed_type seed_type, enum aux_attestation_seed_padding seed_padding,
|
||||
const uint8_t *hmac, enum hmac_hash hmac_type, const uint8_t *ciphertext,
|
||||
size_t cipher_length, const uint8_t sealing[][64], size_t pcr_count, uint8_t *key,
|
||||
size_t key_length);
|
||||
|
||||
/**
|
||||
* Decrypt a payload using the the auxiliary attestation key.
|
||||
|
|
|
|||
|
|
@ -29,15 +29,19 @@ static const char AUX_ATTESTATION_SIGNING_LABEL[] = "signing key";
|
|||
* Initialize the handler for auxiliary attestation requests.
|
||||
*
|
||||
* @param aux The attestation handler to initialize.
|
||||
* @param keystore The keystore used to store the private key.
|
||||
* @param rsa The RSA engine to use with the private key.
|
||||
* @param keystore The keystore used to store the RSA private key. This can be null if RSA is not
|
||||
* supported.
|
||||
* @param rsa The RSA engine to use with the private key. Set to null if RSA is not supported.
|
||||
* @param riot The RIoT keys to use for ECC operations. This can be null if ECC is not supported.
|
||||
* @param ecc The ECC engine to use with RIoT keys. Set to null if ECC is not supported.
|
||||
*
|
||||
* @return 0 if the attestation handler was successfully initialized or an error code.
|
||||
*/
|
||||
int aux_attestation_init (struct aux_attestation *aux, struct keystore *keystore,
|
||||
struct rsa_engine *rsa)
|
||||
struct rsa_engine *rsa, struct riot_key_manager *riot, struct ecc_engine *ecc)
|
||||
{
|
||||
if ((aux == NULL) || (keystore == NULL) || (rsa == NULL)) {
|
||||
if ((aux == NULL) || ((rsa != NULL) && (keystore == NULL)) ||
|
||||
((ecc != NULL) && (riot == NULL))) {
|
||||
return AUX_ATTESTATION_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
|
|
@ -45,6 +49,8 @@ int aux_attestation_init (struct aux_attestation *aux, struct keystore *keystore
|
|||
|
||||
aux->keystore = keystore;
|
||||
aux->rsa = rsa;
|
||||
aux->riot = riot;
|
||||
aux->ecc = ecc;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -97,6 +103,10 @@ int aux_attestation_generate_key (struct aux_attestation *aux)
|
|||
return AUX_ATTESTATION_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
if (aux->rsa == NULL) {
|
||||
return AUX_ATTESTATION_UNSUPPORTED_CRYPTO;
|
||||
}
|
||||
|
||||
status = aux->rsa->generate_key (aux->rsa, &rsa_key, AUX_ATTESTATION_KEY_BITS);
|
||||
if (status != 0) {
|
||||
return status;
|
||||
|
|
@ -129,6 +139,10 @@ int aux_attestation_erase_key (struct aux_attestation *aux)
|
|||
return AUX_ATTESTATION_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
if (aux->rsa == NULL) {
|
||||
return AUX_ATTESTATION_UNSUPPORTED_CRYPTO;
|
||||
}
|
||||
|
||||
/* There is no synchronization on these calls, but that shouldn't be an issue. This will only
|
||||
* get called in very rare scenarios and/or development situations. The certificate and key
|
||||
* are also only rarely used, reducing the chance of conflict. */
|
||||
|
|
@ -169,6 +183,10 @@ int aux_attestation_create_certificate (struct aux_attestation *aux, struct x509
|
|||
return AUX_ATTESTATION_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
if (aux->rsa == NULL) {
|
||||
return AUX_ATTESTATION_UNSUPPORTED_CRYPTO;
|
||||
}
|
||||
|
||||
status = aux->keystore->load_key (aux->keystore, 0, &priv, &length);
|
||||
if (status != 0) {
|
||||
return status;
|
||||
|
|
@ -232,6 +250,10 @@ int aux_attestation_set_certificate (struct aux_attestation *aux, uint8_t *cert,
|
|||
return AUX_ATTESTATION_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
if (aux->rsa == NULL) {
|
||||
return AUX_ATTESTATION_UNSUPPORTED_CRYPTO;
|
||||
}
|
||||
|
||||
if (aux->cert.cert) {
|
||||
return AUX_ATTESTATION_HAS_CERTIFICATE;
|
||||
}
|
||||
|
|
@ -290,72 +312,158 @@ const struct der_cert* aux_attestation_get_certificate (struct aux_attestation *
|
|||
*
|
||||
* @param aux The attestation handler to run.
|
||||
* @param hash The hash engine to use for unsealing.
|
||||
* @param seed The request seed encrypted with the attestation public key.
|
||||
* @param seed_length The length of the request seed.
|
||||
* @param hmac The HMAC for the attestation request. This is an HMAC-SHA256 value.
|
||||
* @param pcr Local PCRs to use for sealing verification.
|
||||
* @param key_type The length of the encryption and signing keys that will be generated.
|
||||
* @param seed The obfuscated seed to use for key derivation.
|
||||
* @param seed_length The length of the obfuscated seed.
|
||||
* @param seed_type The method to use for determining the KDF seed.
|
||||
* @param seed_padding The padding method used when encrypting the seed. This parameter does not
|
||||
* matter for ECDH seeds and can be set to anything in those cases.
|
||||
* @param hmac HMAC of the ciphertext and sealing data using the signing key.
|
||||
* @param hmac_type The type of HMAC used.
|
||||
* @param ciphertext The encrypted attestation data.
|
||||
* @param cipher_length Length of the encrypted data.
|
||||
* @param sealing A 64-byte sealing value for the attestation data.
|
||||
* @param pcr The platform PCR from local firmware measurements. This is an HMAC-SHA256 value.
|
||||
* @param key Output for the unsealed encryption key that will decrypt the attestation data. This
|
||||
* is a dynamically allocated buffer and is the responsibility of the caller to free. This will be
|
||||
* null on error.
|
||||
* @param key_length Output for the length of the encryption key.
|
||||
* @param sealing A list of 64-byte sealing values for the attestation data.
|
||||
* @param pcr_count The number of PCRs used for sealing.
|
||||
* @param key Output for the unsealed encryption key that will decrypt the attestation data.
|
||||
* @param key_length Length of the encryption key buffer. This must be large enough to support the
|
||||
* requested key length.
|
||||
*
|
||||
* @return 0 if the unsealing was successful or an error code.
|
||||
*/
|
||||
int aux_attestation_unseal (struct aux_attestation *aux, struct hash_engine *hash,
|
||||
const uint8_t *seed, size_t seed_length, const uint8_t *hmac, const uint8_t *ciphertext,
|
||||
size_t cipher_length, const uint8_t *sealing, const uint8_t *pcr, uint8_t **key,
|
||||
size_t *key_length)
|
||||
struct pcr_store *pcr, enum aux_attestation_key_length key_type, const uint8_t *seed,
|
||||
size_t seed_length, enum aux_attestation_seed_type seed_type,
|
||||
enum aux_attestation_seed_padding seed_padding, const uint8_t *hmac, enum hmac_hash hmac_type,
|
||||
const uint8_t *ciphertext, size_t cipher_length, const uint8_t sealing[][64], size_t pcr_count,
|
||||
uint8_t *key, size_t key_length)
|
||||
{
|
||||
struct rsa_private_key priv;
|
||||
uint8_t *priv_der;
|
||||
size_t priv_length;
|
||||
uint8_t secret[AUX_ATTESTATION_KEY_BYTES];
|
||||
int secret_length;
|
||||
int secret_length = 0;
|
||||
struct hmac_engine run_hmac;
|
||||
uint8_t i[4] = {0};
|
||||
uint8_t L[4] = {0};
|
||||
uint8_t signing_key[SHA256_HASH_LENGTH];
|
||||
uint8_t signing_key[AUX_ATTESTATION_KEY_256BIT];
|
||||
uint8_t payload_hmac[SHA256_HASH_LENGTH];
|
||||
bool bypass = true;
|
||||
uint8_t pcr_value[SHA256_HASH_LENGTH];
|
||||
bool bypass;
|
||||
int j;
|
||||
int k;
|
||||
int status;
|
||||
|
||||
if (key == NULL) {
|
||||
return AUX_ATTESTATION_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
*key = NULL;
|
||||
if ((aux == NULL) || (hash == NULL) || (seed == NULL) || (seed_length == 0) ||
|
||||
if ((aux == NULL) || (hash == NULL) || (pcr == NULL) || (seed == NULL) || (seed_length == 0) ||
|
||||
(hmac == NULL) || (ciphertext == NULL) || (cipher_length == 0) || (sealing == NULL) ||
|
||||
(pcr == NULL) || (key_length == NULL)) {
|
||||
(pcr_count == 0) || (key == NULL)) {
|
||||
return AUX_ATTESTATION_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
status = aux->keystore->load_key (aux->keystore, 0, &priv_der, &priv_length);
|
||||
if (key_type != AUX_ATTESTATION_KEY_256BIT) {
|
||||
return AUX_ATTESTATION_UNSUPPORTED_KEY_LENGTH;
|
||||
}
|
||||
|
||||
if (hmac_type != HMAC_SHA256) {
|
||||
return AUX_ATTESTATION_UNSUPPORTED_HMAC;
|
||||
}
|
||||
|
||||
if (key_length < AUX_ATTESTATION_KEY_256BIT) {
|
||||
return AUX_ATTESTATION_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
/* Get the key derivation seed. */
|
||||
switch (seed_type) {
|
||||
case AUX_ATTESTATION_SEED_RSA: {
|
||||
struct rsa_private_key priv;
|
||||
uint8_t *priv_der;
|
||||
size_t priv_length;
|
||||
enum hash_type padding;
|
||||
|
||||
if (aux->rsa == NULL) {
|
||||
return AUX_ATTESTATION_UNSUPPORTED_CRYPTO;
|
||||
}
|
||||
|
||||
switch (seed_padding) {
|
||||
case AUX_ATTESTATION_PADDING_OAEP_SHA1:
|
||||
padding = HASH_TYPE_SHA1;
|
||||
break;
|
||||
|
||||
case AUX_ATTESTATION_PADDING_OAEP_SHA256:
|
||||
padding = HASH_TYPE_SHA256;
|
||||
break;
|
||||
|
||||
default:
|
||||
return AUX_ATTESTATION_BAD_SEED_PADDING;
|
||||
}
|
||||
|
||||
status = aux->keystore->load_key (aux->keystore, 0, &priv_der, &priv_length);
|
||||
if (status != 0) {
|
||||
return status;
|
||||
}
|
||||
|
||||
status = aux->rsa->init_private_key (aux->rsa, &priv, priv_der, priv_length);
|
||||
if (status != 0) {
|
||||
goto rsa_init_error;
|
||||
}
|
||||
|
||||
secret_length = aux->rsa->decrypt (aux->rsa, &priv, seed, seed_length, NULL, 0, padding,
|
||||
secret, sizeof (secret));
|
||||
if (ROT_IS_ERROR (secret_length)) {
|
||||
status = secret_length;
|
||||
}
|
||||
|
||||
aux->rsa->release_key (aux->rsa, &priv);
|
||||
rsa_init_error:
|
||||
riot_core_clear (priv_der, priv_length);
|
||||
platform_free (priv_der);
|
||||
break;
|
||||
}
|
||||
|
||||
#ifdef ECC_ENABLE_ECDH
|
||||
case AUX_ATTESTATION_SEED_ECDH: {
|
||||
struct ecc_private_key priv;
|
||||
struct ecc_public_key pub;
|
||||
const struct riot_keys *keys;
|
||||
|
||||
if (aux->ecc == NULL) {
|
||||
return AUX_ATTESTATION_UNSUPPORTED_CRYPTO;
|
||||
}
|
||||
|
||||
status = aux->ecc->init_public_key (aux->ecc, seed, seed_length, &pub);
|
||||
if (status != 0) {
|
||||
return status;
|
||||
}
|
||||
|
||||
keys = riot_key_manager_get_riot_keys (aux->riot);
|
||||
status = aux->ecc->init_key_pair (aux->ecc, keys->alias_key, keys->alias_key_length,
|
||||
&priv, NULL);
|
||||
riot_key_manager_release_riot_keys (aux->riot, keys);
|
||||
if (status != 0) {
|
||||
goto ecc_init_error;
|
||||
}
|
||||
|
||||
secret_length = aux->ecc->compute_shared_secret (aux->ecc, &priv, &pub, secret,
|
||||
sizeof (secret));
|
||||
if (ROT_IS_ERROR (secret_length)) {
|
||||
status = secret_length;
|
||||
}
|
||||
|
||||
aux->ecc->release_key_pair (aux->ecc, &priv, NULL);
|
||||
ecc_init_error:
|
||||
aux->ecc->release_key_pair (aux->ecc, NULL, &pub);
|
||||
break;
|
||||
}
|
||||
#else
|
||||
case AUX_ATTESTATION_SEED_ECDH:
|
||||
return AUX_ATTESTATION_UNSUPPORTED_CRYPTO;
|
||||
#endif
|
||||
|
||||
default:
|
||||
return AUX_ATTESTATION_UNKNOWN_SEED;
|
||||
}
|
||||
|
||||
if (status != 0) {
|
||||
return status;
|
||||
}
|
||||
|
||||
/* Decrypt the key derivation seed. */
|
||||
status = aux->rsa->init_private_key (aux->rsa, &priv, priv_der, priv_length);
|
||||
if (status != 0) {
|
||||
goto rsa_init_error;
|
||||
}
|
||||
|
||||
secret_length = aux->rsa->decrypt (aux->rsa, &priv, seed, seed_length, NULL, 0,
|
||||
HASH_TYPE_SHA1, secret, sizeof (secret));
|
||||
if (ROT_IS_ERROR (secret_length)) {
|
||||
status = secret_length;
|
||||
goto rsa_decrypt_error;
|
||||
}
|
||||
|
||||
aux->rsa->release_key (aux->rsa, &priv);
|
||||
riot_core_clear (priv_der, priv_length);
|
||||
platform_free (priv_der);
|
||||
|
||||
i[3] = 1;
|
||||
L[2] = 1;
|
||||
|
||||
|
|
@ -397,7 +505,7 @@ int aux_attestation_unseal (struct aux_attestation *aux, struct hash_engine *has
|
|||
goto hmac_error;
|
||||
}
|
||||
|
||||
status = hash_hmac_update (&run_hmac, sealing, 64);
|
||||
status = hash_hmac_update (&run_hmac, sealing[0], 64 * pcr_count);
|
||||
if (status != 0) {
|
||||
goto hmac_error;
|
||||
}
|
||||
|
|
@ -411,16 +519,28 @@ int aux_attestation_unseal (struct aux_attestation *aux, struct hash_engine *has
|
|||
return AUX_ATTESTATION_HMAC_MISMATCH;
|
||||
}
|
||||
|
||||
j = 0;
|
||||
while (bypass && (j < 64)) {
|
||||
if (sealing[j++] != 0) {
|
||||
bypass = false;
|
||||
for (k = 0; k < pcr_count; k++) {
|
||||
j = 0;
|
||||
bypass = true;
|
||||
while (bypass && (j < 64)) {
|
||||
if (sealing[k][j++] != 0) {
|
||||
if (j < 32) {
|
||||
/* The first 32-bytes are unused and must be 0. */
|
||||
return AUX_ATTESTATION_PCR_MISMATCH;
|
||||
}
|
||||
bypass = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!bypass) {
|
||||
if (memcmp (pcr, &sealing[32], SHA256_HASH_LENGTH) != 0) {
|
||||
return AUX_ATTESTATION_PCR_MISMATCH;
|
||||
if (!bypass) {
|
||||
status = pcr_store_compute (pcr, hash, k, pcr_value);
|
||||
if (ROT_IS_ERROR (status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
if (memcmp (pcr_value, &sealing[k][32], SHA256_HASH_LENGTH) != 0) {
|
||||
return AUX_ATTESTATION_PCR_MISMATCH;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -446,29 +566,13 @@ int aux_attestation_unseal (struct aux_attestation *aux, struct hash_engine *has
|
|||
goto hmac_error;
|
||||
}
|
||||
|
||||
*key = platform_malloc (SHA256_HASH_LENGTH);
|
||||
if (*key == NULL) {
|
||||
status = AUX_ATTESTATION_NO_MEMORY;
|
||||
goto hmac_error;
|
||||
}
|
||||
|
||||
status = hash_hmac_finish (&run_hmac, *key, SHA256_HASH_LENGTH);
|
||||
status = hash_hmac_finish (&run_hmac, key, SHA256_HASH_LENGTH);
|
||||
if (status != 0) {
|
||||
platform_free (*key);
|
||||
*key = NULL;
|
||||
return status;
|
||||
}
|
||||
|
||||
*key_length = SHA256_HASH_LENGTH;
|
||||
return 0;
|
||||
|
||||
rsa_decrypt_error:
|
||||
aux->rsa->release_key (aux->rsa, &priv);
|
||||
rsa_init_error:
|
||||
riot_core_clear (priv_der, priv_length);
|
||||
platform_free (priv_der);
|
||||
return status;
|
||||
|
||||
hmac_error:
|
||||
hash_hmac_cancel (&run_hmac);
|
||||
return status;
|
||||
|
|
@ -501,6 +605,10 @@ int aux_attestation_decrypt (struct aux_attestation *aux, const uint8_t *encrypt
|
|||
return AUX_ATTESTATION_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
if (aux->rsa == NULL) {
|
||||
return AUX_ATTESTATION_UNSUPPORTED_CRYPTO;
|
||||
}
|
||||
|
||||
status = aux->keystore->load_key (aux->keystore, 0, &priv_der, &priv_length);
|
||||
if (status != 0) {
|
||||
return status;
|
||||
|
|
|
|||
|
|
@ -10,25 +10,56 @@
|
|||
#include "status/rot_status.h"
|
||||
#include "keystore/keystore.h"
|
||||
#include "crypto/rsa.h"
|
||||
#include "crypto/ecc.h"
|
||||
#include "crypto/hash.h"
|
||||
#include "crypto/x509.h"
|
||||
#include "crypto/rng.h"
|
||||
#include "common/certificate.h"
|
||||
#include "attestation/pcr_store.h"
|
||||
#include "riot/riot_key_manager.h"
|
||||
#include "cmd_interface/cerberus_protocol_optional_commands.h"
|
||||
|
||||
|
||||
/**
|
||||
* The types of seeds that can be used for attestation unsealing.
|
||||
*/
|
||||
enum aux_attestation_seed_type {
|
||||
AUX_ATTESTATION_SEED_RSA = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA, /**< Attestation seed is RSA encrypted. */
|
||||
AUX_ATTESTATION_SEED_ECDH = CERBERUS_PROTOCOL_UNSEAL_SEED_ECDH /**< Attestation seed is an ECC public key. */
|
||||
};
|
||||
|
||||
/**
|
||||
* The padding types possible for the encrypted seed.
|
||||
*/
|
||||
enum aux_attestation_seed_padding {
|
||||
AUX_ATTESTATION_PADDING_PKCS15 = CERBERUS_PROTOCOL_UNSEAL_RSA_PKCS15, /**< Attestation seed is padded per PKCS#1 v1.5. */
|
||||
AUX_ATTESTATION_PADDING_OAEP_SHA1 = CERBERUS_PROTOCOL_UNSEAL_RSA_OAEP_SHA1, /**< Attestation seed is OAEP padded with SHA1. */
|
||||
AUX_ATTESTATION_PADDING_OAEP_SHA256 = CERBERUS_PROTOCOL_UNSEAL_RSA_OAEP_SHA256, /**< Attestation seed is OAEP padded with SHA256. */
|
||||
AUX_ATTESTATION_PADDING_UNSPECIFIED = 0xff /**< Seed uses an unspecified padding scheme. */
|
||||
};
|
||||
|
||||
/**
|
||||
* Supported encryption and signing key lengths that can be generated.
|
||||
*/
|
||||
enum aux_attestation_key_length {
|
||||
AUX_ATTESTATION_KEY_256BIT = SHA256_HASH_LENGTH /**< Generate 256-bit signing and encryption keys. */
|
||||
};
|
||||
|
||||
/**
|
||||
* Handler for providing an auxiliary method of attestation.
|
||||
*/
|
||||
struct aux_attestation {
|
||||
struct keystore *keystore; /**< Storage for the attestation private key. */
|
||||
struct rsa_engine *rsa; /**< Interface for RSA operations with the private key. */
|
||||
struct riot_key_manager *riot; /**< Storage for the ECC attestation key. */
|
||||
struct ecc_engine *ecc; /**< Interface for ECC unsealing operations. */
|
||||
struct der_cert cert; /**< The certificate for the attestation private key. */
|
||||
bool is_static; /**< Flag indicating if the certificate is in static memory. */
|
||||
};
|
||||
|
||||
|
||||
int aux_attestation_init (struct aux_attestation *aux, struct keystore *keystore,
|
||||
struct rsa_engine *rsa);
|
||||
struct rsa_engine *rsa, struct riot_key_manager *riot, struct ecc_engine *ecc);
|
||||
void aux_attestation_release (struct aux_attestation *aux);
|
||||
|
||||
int aux_attestation_generate_key (struct aux_attestation *aux);
|
||||
|
|
@ -43,9 +74,11 @@ int aux_attestation_set_static_certificate (struct aux_attestation *aux, const u
|
|||
const struct der_cert* aux_attestation_get_certificate (struct aux_attestation *aux);
|
||||
|
||||
int aux_attestation_unseal (struct aux_attestation *aux, struct hash_engine *hash,
|
||||
const uint8_t *seed, size_t seed_length, const uint8_t *hmac, const uint8_t *ciphertext,
|
||||
size_t cipher_length, const uint8_t *sealing, const uint8_t *pcr, uint8_t **key,
|
||||
size_t *key_length);
|
||||
struct pcr_store *pcr, enum aux_attestation_key_length key_type, const uint8_t *seed,
|
||||
size_t seed_length, enum aux_attestation_seed_type seed_type,
|
||||
enum aux_attestation_seed_padding padding, const uint8_t *hmac, enum hmac_hash hmac_type,
|
||||
const uint8_t *ciphertext, size_t cipher_length, const uint8_t sealing[][64], size_t pcr_count,
|
||||
uint8_t *key, size_t key_length);
|
||||
|
||||
int aux_attestation_decrypt (struct aux_attestation *aux, const uint8_t *encrypted,
|
||||
size_t len_encrypted, const uint8_t *label, size_t len_label, enum hash_type pad_hash,
|
||||
|
|
@ -58,11 +91,17 @@ int aux_attestation_decrypt (struct aux_attestation *aux, const uint8_t *encrypt
|
|||
* Error codes that can be generated by an auxiliary attestation handler.
|
||||
*/
|
||||
enum {
|
||||
AUX_ATTESTATION_INVALID_ARGUMENT = AUX_ATTESTATION_ERROR (0x00), /**< Input parameter is null or not valid. */
|
||||
AUX_ATTESTATION_NO_MEMORY = AUX_ATTESTATION_ERROR (0x01), /**< Memory allocation failed. */
|
||||
AUX_ATTESTATION_HAS_CERTIFICATE = AUX_ATTESTATION_ERROR (0x02), /**< A certificate has already been provisioned. */
|
||||
AUX_ATTESTATION_PCR_MISMATCH = AUX_ATTESTATION_ERROR (0x03), /**< The sealing policy doesn't match local PCR0. */
|
||||
AUX_ATTESTATION_HMAC_MISMATCH = AUX_ATTESTATION_ERROR (0x04), /**< The payload failed verification against the HMAC. */
|
||||
AUX_ATTESTATION_INVALID_ARGUMENT = AUX_ATTESTATION_ERROR (0x00), /**< Input parameter is null or not valid. */
|
||||
AUX_ATTESTATION_NO_MEMORY = AUX_ATTESTATION_ERROR (0x01), /**< Memory allocation failed. */
|
||||
AUX_ATTESTATION_HAS_CERTIFICATE = AUX_ATTESTATION_ERROR (0x02), /**< A certificate has already been provisioned. */
|
||||
AUX_ATTESTATION_PCR_MISMATCH = AUX_ATTESTATION_ERROR (0x03), /**< The sealing policy doesn't match the local PCRs. */
|
||||
AUX_ATTESTATION_HMAC_MISMATCH = AUX_ATTESTATION_ERROR (0x04), /**< The payload failed verification against the HMAC. */
|
||||
AUX_ATTESTATION_UNSUPPORTED_CRYPTO = AUX_ATTESTATION_ERROR (0x05), /**< The asymmetric crypto algorithm is not supported. */
|
||||
AUX_ATTESTATION_UNSUPPORTED_KEY_LENGTH = AUX_ATTESTATION_ERROR (0x06), /**< The requested key length is not supported. */
|
||||
AUX_ATTESTATION_UNSUPPORTED_HMAC = AUX_ATTESTATION_ERROR (0x07), /**< The HMAC algorithm is not supported. */
|
||||
AUX_ATTESTATION_UNKNOWN_SEED = AUX_ATTESTATION_ERROR (0x08), /**< Unknown seed algorithm. */
|
||||
AUX_ATTESTATION_BUFFER_TOO_SMALL = AUX_ATTESTATION_ERROR (0x09), /**< Output buffer too small. */
|
||||
AUX_ATTESTATION_BAD_SEED_PADDING = AUX_ATTESTATION_ERROR (0x0a), /**< Seed padding type is invalid or unsupported. */
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -53,10 +53,10 @@ struct pcr_store_tcg_log_entry {
|
|||
int pcr_store_init (struct pcr_store *store, uint8_t *num_pcr_measurements, size_t num_pcr);
|
||||
void pcr_store_release (struct pcr_store *store);
|
||||
|
||||
int pcr_store_check_measurement_type(struct pcr_store *store, uint16_t measurement_type);
|
||||
int pcr_store_check_measurement_type (struct pcr_store *store, uint16_t measurement_type);
|
||||
int pcr_store_get_num_banks (struct pcr_store *store);
|
||||
|
||||
int pcr_store_update_digest (struct pcr_store *store, uint16_t measurement_type,
|
||||
int pcr_store_update_digest (struct pcr_store *store, uint16_t measurement_type,
|
||||
const uint8_t *digest, size_t digest_len);
|
||||
int pcr_store_update_buffer (struct pcr_store *store, struct hash_engine *hash,
|
||||
uint16_t measurement_type, const uint8_t *buf, size_t buf_len);
|
||||
|
|
@ -67,7 +67,7 @@ int pcr_store_get_measurement (struct pcr_store *store, uint16_t measurement_typ
|
|||
struct pcr_measurement *measurement);
|
||||
int pcr_store_invalidate_measurement (struct pcr_store *store, uint16_t measurement_type);
|
||||
|
||||
int pcr_store_get_tcg_log (struct pcr_store *store, struct hash_engine *hash, uint32_t offset,
|
||||
int pcr_store_get_tcg_log (struct pcr_store *store, struct hash_engine *hash, uint32_t offset,
|
||||
uint8_t *contents, size_t length);
|
||||
int pcr_store_get_tcg_log_size (struct pcr_store *store);
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
#define CERBERUS_PROTOCOL_MAX_PAYLOAD_PER_MSG (MCTP_PROTOCOL_MAX_MESSAGE_BODY - CERBERUS_PROTOCOL_MIN_MSG_LEN)
|
||||
|
||||
#define CERBERUS_PROTOCOL_MSFT_PCI_VID 0x1414
|
||||
#define CERBERUS_PROTOCOL_PROTOCOL_VERSION 2
|
||||
#define CERBERUS_PROTOCOL_PROTOCOL_VERSION 3
|
||||
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -681,60 +681,56 @@ int cerberus_protocol_get_host_reset_status (struct host_control *host_0_ctrl,
|
|||
*
|
||||
* @param background Command background instance to utilize
|
||||
* @param request Unseal request to process
|
||||
* @param platform_pcr PCR to utilize for platform measurement
|
||||
*
|
||||
* @return 0 if processing completed successfully or an error code.
|
||||
*/
|
||||
int cerberus_protocol_unseal_message (struct cmd_background *background,
|
||||
struct cmd_interface_request *request, uint8_t platform_pcr)
|
||||
struct cmd_interface_request *request)
|
||||
{
|
||||
uint16_t seed_len;
|
||||
uint16_t cipher_len;
|
||||
uint16_t seed_offset;
|
||||
uint16_t cipher_offset;
|
||||
uint16_t hmac_offset;
|
||||
uint16_t sealing_offset;
|
||||
struct cerberus_protocol_message_unseal *rq =
|
||||
(struct cerberus_protocol_message_unseal*) request->data;
|
||||
uint8_t *end = request->data + request->length;
|
||||
int status;
|
||||
|
||||
request->crypto_timeout = true;
|
||||
|
||||
if ((CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len)) > request->length) {
|
||||
if (request->length < sizeof (struct cerberus_protocol_message_unseal)) {
|
||||
return CMD_HANDLER_BAD_LENGTH;
|
||||
}
|
||||
|
||||
memcpy (&seed_len, &request->data[CERBERUS_PROTOCOL_MIN_MSG_LEN], sizeof (seed_len));
|
||||
if (seed_len == 0) {
|
||||
if ((rq->hmac_type != CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256) ||
|
||||
(rq->seed_type > CERBERUS_PROTOCOL_UNSEAL_SEED_ECDH)) {
|
||||
return CMD_HANDLER_OUT_OF_RANGE;
|
||||
}
|
||||
|
||||
if ((rq->seed_type == CERBERUS_PROTOCOL_UNSEAL_SEED_RSA) &&
|
||||
(rq->seed_params.rsa.padding > CERBERUS_PROTOCOL_UNSEAL_RSA_OAEP_SHA256)) {
|
||||
return CMD_HANDLER_OUT_OF_RANGE;
|
||||
}
|
||||
|
||||
if ((rq->seed_length == 0) || (cerberus_protocol_unseal_ciphertext_length_ptr (rq) >= end)) {
|
||||
return CMD_HANDLER_BAD_LENGTH;
|
||||
}
|
||||
|
||||
if ((CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + seed_len + sizeof (cipher_len)) >
|
||||
request->length) {
|
||||
if ((cerberus_protocol_unseal_ciphertext_length (rq) == 0) ||
|
||||
(cerberus_protocol_unseal_hmac_length_ptr (rq) >= end)) {
|
||||
return CMD_HANDLER_BAD_LENGTH;
|
||||
}
|
||||
|
||||
seed_offset = CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len);
|
||||
|
||||
memcpy (&cipher_len, &request->data[seed_offset + seed_len], sizeof (cipher_len));
|
||||
if (cipher_len == 0) {
|
||||
if ((cerberus_protocol_unseal_hmac_length (rq) != SHA256_HASH_LENGTH) ||
|
||||
((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (rq) >= end)) {
|
||||
return CMD_HANDLER_BAD_LENGTH;
|
||||
}
|
||||
|
||||
cipher_offset = seed_offset + seed_len + sizeof (cipher_len);
|
||||
hmac_offset = cipher_offset + cipher_len;
|
||||
sealing_offset = hmac_offset + SHA256_HASH_LENGTH;
|
||||
|
||||
if ((sealing_offset + 64) != request->length) {
|
||||
if (((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (rq) +
|
||||
sizeof (struct cerberus_protocol_unseal_pmrs)) != end) {
|
||||
return CMD_HANDLER_BAD_LENGTH;
|
||||
}
|
||||
|
||||
status = background->unseal_start (background, request->data, request->length);
|
||||
|
||||
request->length = 0;
|
||||
if (background != NULL) {
|
||||
return background->unseal_start (background, &request->data[seed_offset], seed_len,
|
||||
&request->data[hmac_offset], &request->data[cipher_offset], cipher_len,
|
||||
&request->data[sealing_offset], platform_pcr);
|
||||
}
|
||||
else {
|
||||
return CMD_HANDLER_UNSUPPORTED_COMMAND;
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -64,11 +64,30 @@ enum {
|
|||
CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256 = 0 /**< Unseal HMAC using SHA-256 */
|
||||
};
|
||||
|
||||
/**
|
||||
* Identifier for the unsealing seed type.
|
||||
*/
|
||||
enum {
|
||||
CERBERUS_PROTOCOL_UNSEAL_SEED_RSA = 0, /**< Unseal seed is RSA encrypted */
|
||||
CERBERUS_PROTOCOL_UNSEAL_SEED_ECC /**< Unseal seed uses ECDH */
|
||||
CERBERUS_PROTOCOL_UNSEAL_SEED_ECDH /**< Unseal seed uses ECDH */
|
||||
};
|
||||
|
||||
/**
|
||||
* Identifier for unsealing RSA parameters.
|
||||
*/
|
||||
enum {
|
||||
CERBERUS_PROTOCOL_UNSEAL_RSA_PKCS15 = 0, /**< Seed is encrypted with PKCS 1.5 padding */
|
||||
CERBERUS_PROTOCOL_UNSEAL_RSA_OAEP_SHA1, /**< Seed is encrypted with OAEP-SHA1 padding */
|
||||
CERBERUS_PROTOCOL_UNSEAL_RSA_OAEP_SHA256, /**< Seed is encrypted with OAEP-SHA256 padding */
|
||||
};
|
||||
|
||||
/**
|
||||
* Maximum number of PMRs that can be used for unsealing.
|
||||
*
|
||||
*
|
||||
*/
|
||||
#define CERBERUS_PROTOCOL_MAX_PMR 5
|
||||
|
||||
|
||||
#pragma pack(push, 1)
|
||||
/**
|
||||
|
|
@ -494,6 +513,15 @@ struct cerberus_protocol_message_unseal {
|
|||
uint8_t seed_type:2; /**< Type of seed used for unsealing */
|
||||
uint8_t hmac_type:3; /**< Type of HMAC used for unsealing */
|
||||
uint8_t reserved:3; /**< Unused */
|
||||
union {
|
||||
struct {
|
||||
uint8_t padding:3; /**< RSA encryption padding scheme */
|
||||
uint8_t reserved:5; /**< Unused */
|
||||
} rsa;
|
||||
struct {
|
||||
uint8_t reserved; /**< Unused. */
|
||||
} ecdh;
|
||||
} seed_params; /**< Additional parameters for the seed */
|
||||
uint16_t seed_length; /**< Length of the unsealing seed */
|
||||
uint8_t seed; /**< First byte of the unsealing seed */
|
||||
};
|
||||
|
|
@ -502,7 +530,7 @@ struct cerberus_protocol_message_unseal {
|
|||
* PMRs used for unsealing a message.
|
||||
*/
|
||||
struct cerberus_protocol_unseal_pmrs {
|
||||
uint8_t pmr[5][64]; /**< PMRs used for sealing */
|
||||
uint8_t pmr[CERBERUS_PROTOCOL_MAX_PMR][64]; /**< PMRs used for sealing */
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
@ -546,7 +574,7 @@ struct cerberus_protocol_unseal_pmrs {
|
|||
* struct cerberus_protocol_unseal_pmrs.
|
||||
*/
|
||||
#define cerberus_protocol_get_unseal_pmr_sealing(req) \
|
||||
(struct cerberus_protocol_unseal_pmrs*) (cerberus_protocol_unseal_hmac (req) + cerberus_protocol_unseal_hmac_length (req))
|
||||
((const struct cerberus_protocol_unseal_pmrs*) (cerberus_protocol_unseal_hmac (req) + cerberus_protocol_unseal_hmac_length (req)))
|
||||
|
||||
/**
|
||||
* Cerberus protocol message unseal result request format
|
||||
|
|
@ -625,7 +653,7 @@ int cerberus_protocol_get_host_reset_status (struct host_control *host_0_ctrl,
|
|||
struct host_control *host_1_ctrl, struct cmd_interface_request *request);
|
||||
|
||||
int cerberus_protocol_unseal_message (struct cmd_background *background,
|
||||
struct cmd_interface_request *request, uint8_t platform_pcr);
|
||||
struct cmd_interface_request *request);
|
||||
int cerberus_protocol_unseal_message_result (struct cmd_background *background,
|
||||
struct cmd_interface_request *request);
|
||||
|
||||
|
|
|
|||
|
|
@ -35,26 +35,21 @@ struct cmd_background {
|
|||
* Process an attestation payload to unseal the device encryption key.
|
||||
*
|
||||
* @param cmd The background context for executing the operation.
|
||||
* @param seed The request seed encrypted with the attestation public key.
|
||||
* @param seed_length The length of the request seed.
|
||||
* @param hmac The HMAC for the attestation request. This is an HMAC-SHA256 value.
|
||||
* @param ciphertext The encrypted attestation data.
|
||||
* @param cipher_length Length of the encrypted data.
|
||||
* @param sealing A 64-byte sealing value for the attestation data.
|
||||
* @param platform_pcr PCR to utilize as platform measurement.
|
||||
* @param unseal_request Buffer containing the complete unseal request to execute. The request
|
||||
* should be validated for correctness before passing it here.
|
||||
* @param length Length of the unseal request.
|
||||
*
|
||||
* @return 0 if the action was successfully scheduled or an error code.
|
||||
*/
|
||||
int (*unseal_start) (struct cmd_background *cmd, const uint8_t *seed, size_t seed_length,
|
||||
const uint8_t *hmac, const uint8_t *ciphertext, size_t cipher_length,
|
||||
const uint8_t *sealing, uint8_t platform_pcr);
|
||||
int (*unseal_start) (struct cmd_background *cmd, const uint8_t *unseal_request, size_t length);
|
||||
|
||||
/**
|
||||
* Get the result of the last unseal operation requested.
|
||||
*
|
||||
* @param cmd The background context for executing the operation.
|
||||
* @param key Output for the unsealed encryption key that will decrypt the attestation data.
|
||||
* @param key_length Length of the key buffer as input, then key length as output.
|
||||
* @param key_length Length of the key buffer as input, then key length as output. This will be
|
||||
* 0 if the unseal operation has not successfully completed.
|
||||
* @param unseal_status Output buffer with the unsealing status. The lower 8 bits will be the
|
||||
* status as per {@link enum attestation_cmd_status}. The rest of the bits will be the return
|
||||
* code from the operation.
|
||||
|
|
|
|||
|
|
@ -161,7 +161,7 @@ int cmd_interface_system_process_request (struct cmd_interface *intf,
|
|||
return cerberus_protocol_reset_counter (interface->cmd_device, request);
|
||||
|
||||
case CERBERUS_PROTOCOL_UNSEAL_MESSAGE:
|
||||
return cerberus_protocol_unseal_message (interface->background, request, 0);
|
||||
return cerberus_protocol_unseal_message (interface->background, request);
|
||||
|
||||
case CERBERUS_PROTOCOL_UNSEAL_MESSAGE_RESULT:
|
||||
return cerberus_protocol_unseal_message_result (interface->background, request);
|
||||
|
|
|
|||
|
|
@ -301,6 +301,17 @@ static int rsa_mbedtls_decrypt (struct rsa_engine *engine, const struct rsa_priv
|
|||
return RSA_ENGINE_UNSUPPORTED_HASH_TYPE;
|
||||
}
|
||||
|
||||
#ifndef MBEDTLS_SHA1_C
|
||||
if (pad_hash == HASH_TYPE_SHA1) {
|
||||
return RSA_ENGINE_UNSUPPORTED_HASH_TYPE;
|
||||
}
|
||||
#endif
|
||||
#ifndef MBEDTLS_SHA256_C
|
||||
if (pad_hash == HASH_TYPE_SHA256) {
|
||||
return RSA_ENGINE_UNSUPPORTED_HASH_TYPE;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (pad_hash == HASH_TYPE_SHA256) {
|
||||
mbedtls_rsa_set_padding (rsa_mbedtls_get_rsa_key (key), MBEDTLS_RSA_PKCS_V21,
|
||||
MBEDTLS_MD_SHA256);
|
||||
|
|
|
|||
|
|
@ -395,11 +395,11 @@ exit:
|
|||
|
||||
/**
|
||||
* Get the RIoT Core device keys. Updates to the RIoT keys will be blocked until the caller
|
||||
* indicates they are finished using them by calling {@link riot_key_manager_release_riot_keys}.
|
||||
* indicates they are finished using them by calling riot_key_manager_release_riot_keys().
|
||||
*
|
||||
* @param riot The RIoT key manager to query.
|
||||
*
|
||||
* @return The RIoT keys or null. If not null, {@link riot_key_manager_release_riot_keys} must be
|
||||
* @return The RIoT keys or null. If not null, riot_key_manager_release_riot_keys() must be
|
||||
* called after the keys are used.
|
||||
*/
|
||||
const struct riot_keys* riot_key_manager_get_riot_keys (struct riot_key_manager *riot)
|
||||
|
|
|
|||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -11,6 +11,8 @@ extern const uint8_t KEY_SEED[];
|
|||
extern const size_t KEY_SEED_LEN;
|
||||
extern const uint8_t KEY_SEED_ENCRYPT_OAEP[];
|
||||
extern const size_t KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
extern const uint8_t KEY_SEED_ENCRYPT_OAEP_SHA256[];
|
||||
extern const size_t KEY_SEED_ENCRYPT_OAEP_SHA256_LEN;
|
||||
extern const uint8_t NIST_KEY_DERIVE_I[];
|
||||
extern const size_t NIST_KEY_DERIVE_I_LEN;
|
||||
extern const uint8_t NIST_KEY_DERIVE_L[];
|
||||
|
|
@ -21,10 +23,14 @@ extern const uint8_t ENCRYPTION_KEY[];
|
|||
extern const size_t ENCRYPTION_KEY_LEN;
|
||||
extern const uint8_t CIPHER_TEXT[];
|
||||
extern const size_t CIPHER_TEXT_LEN;
|
||||
extern const uint8_t SEALING_POLICY[];
|
||||
extern const uint8_t SEALING_POLICY[][64];
|
||||
extern const size_t SEALING_POLICY_LEN;
|
||||
extern const uint8_t PAYLOAD_HMAC[];
|
||||
extern const size_t PAYLOAD_HMAC_LEN;
|
||||
extern const uint8_t SEALING_POLICY_MULTIPLE[][64];
|
||||
extern const size_t SEALING_POLICY_MULTPLE_LEN;
|
||||
extern const uint8_t PAYLOAD_MULTIPLE_HMAC[];
|
||||
extern const size_t PAYLOAD_MULTIPLE_HMAC_LEN;
|
||||
extern const char ENCRYPTION_KEY_LABEL[];
|
||||
extern const size_t ENCRYPTION_KEY_LABEL_LEN;
|
||||
extern const char SIGNING_KEY_LABEL[];
|
||||
|
|
|
|||
|
|
@ -12,10 +12,13 @@
|
|||
#include "cmd_interface/attestation_cmd_interface.h"
|
||||
#include "logging/debug_log.h"
|
||||
#include "recovery/recovery_image_header.h"
|
||||
#include "attestation/aux_attestation.h"
|
||||
#include "mock/pfm_mock.h"
|
||||
#include "mock/recovery_image_mock.h"
|
||||
#include "cerberus_protocol_optional_commands_testing.h"
|
||||
#include "recovery_image_header_testing.h"
|
||||
#include "aux_attestation_testing.h"
|
||||
#include "ecc_testing.h"
|
||||
|
||||
|
||||
static const char *SUITE = "cerberus_protocol_optional_commands";
|
||||
|
|
@ -3688,54 +3691,89 @@ void cerberus_protocol_optional_commands_testing_process_log_read_invalid_len (C
|
|||
CuAssertIntEquals (test, false, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background, int pcr)
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_rsa (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background)
|
||||
{
|
||||
uint16_t seed_len = 2;
|
||||
uint16_t cipher_len = 2;
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_header header = {0};
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memcpy (request.data, &header, sizeof (header));
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN], &seed_len, sizeof (seed_len));
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len)] = 0xAA;
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 1] = 0xBB;
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2], &cipher_len,
|
||||
sizeof (cipher_len));
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2 + sizeof (cipher_len)] =
|
||||
0xCC;
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 3 + sizeof (cipher_len)] =
|
||||
0xDD;
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 + sizeof (cipher_len)],
|
||||
0x55, SHA256_HASH_LENGTH);
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 + sizeof (cipher_len) +
|
||||
SHA256_HASH_LENGTH], 0xAA, 64);
|
||||
request.length = CERBERUS_PROTOCOL_MIN_MSG_LEN + 104;
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN + sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
status = mock_expect (&background->mock, background->base.unseal_start, background, 0,
|
||||
MOCK_ARG_PTR_CONTAINS_TMP (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len)], seed_len),
|
||||
MOCK_ARG (seed_len), MOCK_ARG_PTR_CONTAINS_TMP (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 +
|
||||
sizeof (cipher_len)],
|
||||
SHA256_HASH_LENGTH),
|
||||
MOCK_ARG_PTR_CONTAINS_TMP (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN +
|
||||
sizeof (seed_len) + 2 + sizeof (cipher_len)], cipher_len),
|
||||
MOCK_ARG (cipher_len), MOCK_ARG_PTR_CONTAINS_TMP (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 +
|
||||
sizeof (cipher_len) + SHA256_HASH_LENGTH], 64),
|
||||
MOCK_ARG (pcr));
|
||||
MOCK_ARG_PTR_CONTAINS_TMP (request.data, request.length), MOCK_ARG (request.length));
|
||||
CuAssertIntEquals (test, 0, status);
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, 0, status);
|
||||
CuAssertIntEquals (test, 0, request.length);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_ecc (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background)
|
||||
{
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_ECDH;
|
||||
req->seed_length = ECC_PUBKEY_DER_LEN;
|
||||
memcpy (&req->seed, ECC_PUBKEY_DER, ECC_PUBKEY_DER_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
ECC_PUBKEY_DER_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN + sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
status = mock_expect (&background->mock, background->base.unseal_start, background, 0,
|
||||
MOCK_ARG_PTR_CONTAINS_TMP (request.data, request.length), MOCK_ARG (request.length));
|
||||
CuAssertIntEquals (test, 0, status);
|
||||
|
||||
request.crypto_timeout = false;
|
||||
|
|
@ -3746,50 +3784,43 @@ void cerberus_protocol_optional_commands_testing_process_request_unseal (CuTest
|
|||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_fail (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background, int pcr)
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background)
|
||||
{
|
||||
uint16_t seed_len = 2;
|
||||
uint16_t cipher_len = 2;
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_header header = {0};
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memcpy (request.data, &header, sizeof (header));
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN], &seed_len, sizeof (seed_len));
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len)] = 0xAA;
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 1] = 0xBB;
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2], &cipher_len,
|
||||
sizeof (cipher_len));
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2 + sizeof (cipher_len)] =
|
||||
0xCC;
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 3 + sizeof (cipher_len)] =
|
||||
0xDD;
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 + sizeof (cipher_len)],
|
||||
0x55, SHA256_HASH_LENGTH);
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 + sizeof (cipher_len) +
|
||||
SHA256_HASH_LENGTH], 0xAA, 64);
|
||||
request.length = CERBERUS_PROTOCOL_MIN_MSG_LEN + 104;
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN + sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
status = mock_expect (&background->mock, background->base.unseal_start, background,
|
||||
CMD_BACKGROUND_UNSEAL_FAILED, MOCK_ARG_PTR_CONTAINS_TMP (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len)], seed_len),
|
||||
MOCK_ARG (seed_len), MOCK_ARG_PTR_CONTAINS_TMP (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 + sizeof (cipher_len)],
|
||||
SHA256_HASH_LENGTH), MOCK_ARG_PTR_CONTAINS_TMP (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2 + sizeof (cipher_len)],
|
||||
cipher_len), MOCK_ARG (cipher_len), MOCK_ARG_PTR_CONTAINS_TMP (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 + sizeof (cipher_len) +
|
||||
SHA256_HASH_LENGTH], 64), MOCK_ARG (pcr));
|
||||
CMD_BACKGROUND_UNSEAL_FAILED, MOCK_ARG_PTR_CONTAINS_TMP (request.data, request.length),
|
||||
MOCK_ARG (request.length));
|
||||
CuAssertIntEquals (test, 0, status);
|
||||
|
||||
request.crypto_timeout = false;
|
||||
|
|
@ -3798,117 +3829,473 @@ void cerberus_protocol_optional_commands_testing_process_request_unseal_fail (Cu
|
|||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_seed_len (CuTest *test,
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_invalid_hmac (CuTest *test,
|
||||
struct cmd_interface *cmd)
|
||||
{
|
||||
uint16_t seed_len = 0;
|
||||
uint16_t cipher_len = 2;
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_header header = {0};
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memcpy (request.data, &header, sizeof (header));
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN], &seed_len, sizeof (seed_len));
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len)], &cipher_len,
|
||||
sizeof (cipher_len));
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + sizeof (cipher_len)] =
|
||||
0xCC;
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 1 + sizeof (cipher_len)] =
|
||||
0xDD;
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2 + sizeof (cipher_len)],
|
||||
0x55, SHA256_HASH_LENGTH);
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2 + sizeof (cipher_len) +
|
||||
SHA256_HASH_LENGTH], 0xAA, 64);
|
||||
request.length = CERBERUS_PROTOCOL_MIN_MSG_LEN + 102;
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = 1;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN + sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_OUT_OF_RANGE, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_cipher_len (CuTest *test,
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_invalid_seed (CuTest *test,
|
||||
struct cmd_interface *cmd)
|
||||
{
|
||||
uint16_t seed_len = 2;
|
||||
uint16_t cipher_len = 0;
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_header header = {0};
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memcpy (request.data, &header, sizeof (header));
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN], &seed_len, sizeof (seed_len));
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len)] = 0xAA;
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 1] = 0xBB;
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2], &cipher_len,
|
||||
sizeof (cipher_len));
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2 + sizeof (cipher_len)],
|
||||
0x55, SHA256_HASH_LENGTH);
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2 + sizeof (cipher_len) +
|
||||
SHA256_HASH_LENGTH], 0xAA, 64);
|
||||
request.length = CERBERUS_PROTOCOL_MIN_MSG_LEN + 102;
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = 2;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN + sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_OUT_OF_RANGE, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_payload (
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_rsa_invalid_padding (
|
||||
CuTest *test, struct cmd_interface *cmd)
|
||||
{
|
||||
uint16_t seed_len = 2;
|
||||
uint16_t cipher_len = 2;
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_header header = {0};
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memcpy (request.data, &header, sizeof (header));
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN], &seed_len, sizeof (seed_len));
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len)] = 0xAA;
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 1] = 0xBB;
|
||||
memcpy (&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2], &cipher_len,
|
||||
sizeof (cipher_len));
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 2 + sizeof (cipher_len)] =
|
||||
0xCC;
|
||||
request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 3 + sizeof (cipher_len)] =
|
||||
0xDD;
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 + sizeof (cipher_len)],
|
||||
0x55, SHA256_HASH_LENGTH);
|
||||
memset (
|
||||
&request.data[CERBERUS_PROTOCOL_MIN_MSG_LEN + sizeof (seed_len) + 4 + sizeof (cipher_len) +
|
||||
SHA256_HASH_LENGTH], 0xAA, 64);
|
||||
request.length = CERBERUS_PROTOCOL_MIN_MSG_LEN;
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_params.rsa.padding = 3;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN + sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_OUT_OF_RANGE, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_seed (CuTest *test,
|
||||
struct cmd_interface *cmd)
|
||||
{
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = 0;
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) + 2 + CIPHER_TEXT_LEN +
|
||||
2 + PAYLOAD_HMAC_LEN + sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_seed (
|
||||
CuTest *test, struct cmd_interface *cmd)
|
||||
{
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN - 1;
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_ciphertext (CuTest *test,
|
||||
struct cmd_interface *cmd)
|
||||
{
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = 0;
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + 2 + PAYLOAD_HMAC_LEN + sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_ciphertext (
|
||||
CuTest *test, struct cmd_interface *cmd)
|
||||
{
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN - 1;
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_hmac (CuTest *test,
|
||||
struct cmd_interface *cmd)
|
||||
{
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = 0;
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_bad_hmac_length (
|
||||
CuTest *test, struct cmd_interface *cmd)
|
||||
{
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN + 1;
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN + 1 +
|
||||
sizeof (sealing);
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN - 1;
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + (PAYLOAD_HMAC_LEN - 1) +
|
||||
sizeof (sealing);
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_hmac (
|
||||
CuTest *test, struct cmd_interface *cmd)
|
||||
{
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN - 1;
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
}
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_invalid_len (CuTest *test,
|
||||
struct cmd_interface *cmd)
|
||||
{
|
||||
struct cmd_interface_request request;
|
||||
struct cerberus_protocol_message_unseal *req =
|
||||
(struct cerberus_protocol_message_unseal*) request.data;
|
||||
struct cerberus_protocol_unseal_pmrs sealing;
|
||||
int status;
|
||||
|
||||
memset (sealing.pmr[0], 0, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[1], 1, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[2], 2, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[3], 3, sizeof (sealing.pmr[0]));
|
||||
memset (sealing.pmr[4], 4, sizeof (sealing.pmr[0]));
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
req->header.msg_type = MCTP_PROTOCOL_MSG_TYPE_VENDOR_DEF;
|
||||
req->header.pci_vendor_id = CERBERUS_PROTOCOL_MSFT_PCI_VID;
|
||||
req->header.command = CERBERUS_PROTOCOL_UNSEAL_MESSAGE;
|
||||
|
||||
req->hmac_type = CERBERUS_PROTOCOL_UNSEAL_HMAC_SHA256;
|
||||
req->seed_type = CERBERUS_PROTOCOL_UNSEAL_SEED_RSA;
|
||||
req->seed_length = KEY_SEED_ENCRYPT_OAEP_LEN;
|
||||
memcpy (&req->seed, KEY_SEED_ENCRYPT_OAEP, KEY_SEED_ENCRYPT_OAEP_LEN);
|
||||
cerberus_protocol_unseal_ciphertext_length (req) = CIPHER_TEXT_LEN;
|
||||
memcpy (cerberus_protocol_unseal_ciphertext (req), CIPHER_TEXT, CIPHER_TEXT_LEN);
|
||||
cerberus_protocol_unseal_hmac_length (req) = PAYLOAD_HMAC_LEN;
|
||||
memcpy (cerberus_protocol_unseal_hmac (req), PAYLOAD_HMAC, PAYLOAD_HMAC_LEN);
|
||||
memcpy ((uint8_t*) cerberus_protocol_get_unseal_pmr_sealing (req), &sealing, sizeof (sealing));
|
||||
request.length = sizeof (struct cerberus_protocol_message_unseal) - 1;
|
||||
request.max_response = MCTP_PROTOCOL_MAX_MESSAGE_BODY;
|
||||
request.source_eid = MCTP_PROTOCOL_BMC_EID;
|
||||
request.target_eid = MCTP_PROTOCOL_PA_ROT_CTRL_EID;
|
||||
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN + sizeof (sealing) -
|
||||
1;
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
CuAssertIntEquals (test, true, request.crypto_timeout);
|
||||
|
||||
request.length = (sizeof (struct cerberus_protocol_message_unseal) - 1) +
|
||||
KEY_SEED_ENCRYPT_OAEP_LEN + 2 + CIPHER_TEXT_LEN + 2 + PAYLOAD_HMAC_LEN + sizeof (sealing) +
|
||||
1;
|
||||
request.crypto_timeout = false;
|
||||
status = cmd->process_request (cmd, &request);
|
||||
CuAssertIntEquals (test, CMD_HANDLER_BAD_LENGTH, status);
|
||||
|
|
@ -4052,6 +4439,7 @@ void cerberus_protocol_optional_commands_testing_process_request_unseal_result_b
|
|||
size_t max_buf_len = MCTP_PROTOCOL_MAX_MESSAGE_BODY -
|
||||
sizeof (struct cerberus_protocol_message_unseal_result_completed_response) + 1;
|
||||
uint32_t attestation_status = ATTESTATION_CMD_STATUS_RUNNING;
|
||||
uint16_t key_len = 0;
|
||||
int status;
|
||||
|
||||
memset (&request, 0, sizeof (request));
|
||||
|
|
@ -4067,6 +4455,7 @@ void cerberus_protocol_optional_commands_testing_process_request_unseal_result_b
|
|||
status = mock_expect (&background->mock, background->base.unseal_result, background,
|
||||
0, MOCK_ARG_NOT_NULL, MOCK_ARG_PTR_CONTAINS_TMP (&max_buf_len, sizeof (max_buf_len)),
|
||||
MOCK_ARG_NOT_NULL);
|
||||
status |= mock_expect_output (&background->mock, 1, &key_len, sizeof (key_len), -1);
|
||||
status |= mock_expect_output (&background->mock, 2, &attestation_status,
|
||||
sizeof (attestation_status), -1);
|
||||
|
||||
|
|
@ -7219,7 +7608,7 @@ static void cerberus_protocol_optional_commands_test_message_unseal_format (CuTe
|
|||
{
|
||||
uint8_t raw_buffer_req[] = {
|
||||
0x7e,0x14,0x13,0x03,0x89,
|
||||
0x01,
|
||||
0x01,0x02,
|
||||
0x48,0x00,
|
||||
0x30,0x46,0x02,0x21,0x00,0x86,0x1d,0x0e,0x39,0x20,0xdc,0xae,0x77,0xcc,0xb0,0x33,
|
||||
0x38,0xb7,0xd8,0x47,0xb9,0x7a,0x6b,0x65,0x3b,0xe2,0x72,0x52,0x8f,0x77,0x82,0x00,
|
||||
|
|
@ -7253,7 +7642,7 @@ static void cerberus_protocol_optional_commands_test_message_unseal_format (CuTe
|
|||
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||
};
|
||||
struct cerberus_protocol_message_unseal *req;
|
||||
struct cerberus_protocol_unseal_pmrs *pmrs;
|
||||
const struct cerberus_protocol_unseal_pmrs *pmrs;
|
||||
|
||||
TEST_START;
|
||||
|
||||
|
|
@ -7270,20 +7659,24 @@ static void cerberus_protocol_optional_commands_test_message_unseal_format (CuTe
|
|||
CuAssertIntEquals (test, 0x00, req->reserved);
|
||||
CuAssertIntEquals (test, 0x00, req->hmac_type);
|
||||
CuAssertIntEquals (test, 0x01, req->seed_type);
|
||||
CuAssertIntEquals (test, 0x00, req->seed_params.rsa.reserved);
|
||||
CuAssertIntEquals (test, CERBERUS_PROTOCOL_UNSEAL_RSA_OAEP_SHA256,
|
||||
req->seed_params.rsa.padding);
|
||||
CuAssertIntEquals (test, 0x02, req->seed_params.ecdh.reserved);
|
||||
CuAssertIntEquals (test, 0x0048, req->seed_length);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[8], &req->seed);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[9], &req->seed);
|
||||
CuAssertIntEquals (test, 0x0010, cerberus_protocol_unseal_ciphertext_length (req));
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[82], cerberus_protocol_unseal_ciphertext (req));
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[83], cerberus_protocol_unseal_ciphertext (req));
|
||||
CuAssertIntEquals (test, 0x0020, cerberus_protocol_unseal_hmac_length (req));
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[100], cerberus_protocol_unseal_hmac (req));
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[101], cerberus_protocol_unseal_hmac (req));
|
||||
|
||||
pmrs = cerberus_protocol_get_unseal_pmr_sealing (req);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[132], pmrs);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[132], pmrs->pmr[0]);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[196], pmrs->pmr[1]);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[260], pmrs->pmr[2]);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[324], pmrs->pmr[3]);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[388], pmrs->pmr[4]);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[133], (uint8_t*) pmrs);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[133], (uint8_t*) pmrs->pmr[0]);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[197], (uint8_t*) pmrs->pmr[1]);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[261], (uint8_t*) pmrs->pmr[2]);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[325], (uint8_t*) pmrs->pmr[3]);
|
||||
CuAssertPtrEquals (test, &raw_buffer_req[389], (uint8_t*) pmrs->pmr[4]);
|
||||
|
||||
raw_buffer_req[5] = 0x21;
|
||||
CuAssertIntEquals (test, 0x01, req->reserved);
|
||||
|
|
@ -7294,6 +7687,24 @@ static void cerberus_protocol_optional_commands_test_message_unseal_format (CuTe
|
|||
CuAssertIntEquals (test, 0x01, req->reserved);
|
||||
CuAssertIntEquals (test, 0x02, req->hmac_type);
|
||||
CuAssertIntEquals (test, 0x01, req->seed_type);
|
||||
|
||||
raw_buffer_req[6] = 0x01;
|
||||
CuAssertIntEquals (test, 0x00, req->seed_params.rsa.reserved);
|
||||
CuAssertIntEquals (test, CERBERUS_PROTOCOL_UNSEAL_RSA_OAEP_SHA1,
|
||||
req->seed_params.rsa.padding);
|
||||
CuAssertIntEquals (test, 0x01, req->seed_params.ecdh.reserved);
|
||||
|
||||
raw_buffer_req[6] = 0x11;
|
||||
CuAssertIntEquals (test, 0x02, req->seed_params.rsa.reserved);
|
||||
CuAssertIntEquals (test, CERBERUS_PROTOCOL_UNSEAL_RSA_OAEP_SHA1,
|
||||
req->seed_params.rsa.padding);
|
||||
CuAssertIntEquals (test, 0x11, req->seed_params.ecdh.reserved);
|
||||
|
||||
raw_buffer_req[6] = 0x10;
|
||||
CuAssertIntEquals (test, 0x02, req->seed_params.rsa.reserved);
|
||||
CuAssertIntEquals (test, CERBERUS_PROTOCOL_UNSEAL_RSA_PKCS15,
|
||||
req->seed_params.rsa.padding);
|
||||
CuAssertIntEquals (test, 0x10, req->seed_params.ecdh.reserved);
|
||||
}
|
||||
|
||||
static void cerberus_protocol_optional_commands_test_message_unseal_result_format (CuTest *test)
|
||||
|
|
|
|||
|
|
@ -201,16 +201,34 @@ void cerberus_protocol_optional_commands_testing_process_log_read_invalid_type (
|
|||
void cerberus_protocol_optional_commands_testing_process_log_read_invalid_len (CuTest *test,
|
||||
struct cmd_interface *cmd);
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background, int pcr);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_rsa (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_ecc (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_fail (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background, int pcr);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_seed_len (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_invalid_hmac (CuTest *test,
|
||||
struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_cipher_len (CuTest *test,
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_invalid_seed (CuTest *test,
|
||||
struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_payload (
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_rsa_invalid_padding (
|
||||
CuTest *test, struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_seed (CuTest *test,
|
||||
struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_seed (
|
||||
CuTest *test, struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_ciphertext (CuTest *test,
|
||||
struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_ciphertext (
|
||||
CuTest *test, struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_no_hmac (CuTest *test,
|
||||
struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_bad_hmac_length (
|
||||
CuTest *test, struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_hmac (
|
||||
CuTest *test, struct cmd_interface *cmd);
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_invalid_len (CuTest *test,
|
||||
struct cmd_interface *cmd);
|
||||
|
||||
void cerberus_protocol_optional_commands_testing_process_request_unseal_result (CuTest *test,
|
||||
struct cmd_interface *cmd, struct cmd_background_mock *background);
|
||||
|
|
|
|||
|
|
@ -3854,7 +3854,7 @@ static void cmd_interface_system_test_process_get_capabilities_invalid_len (CuTe
|
|||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal (CuTest *test)
|
||||
static void cmd_interface_system_test_process_request_unseal_rsa (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
|
|
@ -3862,8 +3862,21 @@ static void cmd_interface_system_test_process_request_unseal (CuTest *test)
|
|||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal (test, &cmd.handler.base,
|
||||
&cmd.background, 0);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_rsa (test, &cmd.handler.base,
|
||||
&cmd.background);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_ecc (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
TEST_START;
|
||||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_rsa (test, &cmd.handler.base,
|
||||
&cmd.background);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
|
|
@ -3876,11 +3889,11 @@ static void cmd_interface_system_test_process_request_unseal_fail (CuTest *test)
|
|||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_fail (test,
|
||||
&cmd.handler.base, &cmd.background, 0);
|
||||
&cmd.handler.base, &cmd.background);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_no_seed_len (CuTest *test)
|
||||
static void cmd_interface_system_test_process_request_unseal_invalid_hmac (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
|
|
@ -3888,12 +3901,12 @@ static void cmd_interface_system_test_process_request_unseal_no_seed_len (CuTest
|
|||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_no_seed_len (test,
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_invalid_hmac (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_no_cipher_len (CuTest *test)
|
||||
static void cmd_interface_system_test_process_request_unseal_invalid_seed (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
|
|
@ -3901,12 +3914,12 @@ static void cmd_interface_system_test_process_request_unseal_no_cipher_len (CuTe
|
|||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_no_cipher_len (test,
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_invalid_seed (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_incomplete_payload (CuTest *test)
|
||||
static void cmd_interface_system_test_process_request_unseal_rsa_invalid_padding (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
|
|
@ -3914,7 +3927,111 @@ static void cmd_interface_system_test_process_request_unseal_incomplete_payload
|
|||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_payload (test,
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_rsa_invalid_padding (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_no_seed (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
TEST_START;
|
||||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_no_seed (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_incomplete_seed (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
TEST_START;
|
||||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_seed (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_no_ciphertext (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
TEST_START;
|
||||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_no_ciphertext (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_incomplete_ciphertext (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
TEST_START;
|
||||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_ciphertext (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_no_hmac (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
TEST_START;
|
||||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_no_hmac (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_bad_hmac_length (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
TEST_START;
|
||||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_bad_hmac_length (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_incomplete_hmac (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
TEST_START;
|
||||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_incomplete_hmac (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
||||
static void cmd_interface_system_test_process_request_unseal_invalid_len (CuTest *test)
|
||||
{
|
||||
struct cmd_interface_system_testing cmd;
|
||||
|
||||
TEST_START;
|
||||
|
||||
setup_cmd_interface_system_mock_test (test, &cmd, true, true, true, true, false, false, true,
|
||||
true, DEVICE_MANAGER_UPSTREAM);
|
||||
cerberus_protocol_optional_commands_testing_process_request_unseal_invalid_len (test,
|
||||
&cmd.handler.base);
|
||||
complete_cmd_interface_system_mock_test (test, &cmd);
|
||||
}
|
||||
|
|
@ -6012,11 +6129,20 @@ CuSuite* get_cmd_interface_system_suite ()
|
|||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_get_capabilities);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_get_capabilities_invalid_device);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_get_capabilities_invalid_len);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_rsa);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_ecc);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_fail);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_no_seed_len);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_no_cipher_len);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_incomplete_payload);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_invalid_hmac);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_invalid_seed);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_rsa_invalid_padding);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_no_seed);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_incomplete_seed);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_no_ciphertext);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_incomplete_ciphertext);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_no_hmac);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_bad_hmac_length);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_incomplete_hmac);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_invalid_len);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_request_unseal_result);
|
||||
SUITE_ADD_TEST (suite,
|
||||
cmd_interface_system_test_process_request_unseal_result_limited_response);
|
||||
|
|
@ -6043,7 +6169,6 @@ CuSuite* get_cmd_interface_system_suite ()
|
|||
cmd_interface_system_test_process_get_host_reset_status_reset_check_error);
|
||||
SUITE_ADD_TEST (suite,
|
||||
cmd_interface_system_test_process_get_host_reset_status_hold_check_error);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_issue_request_null);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_get_pcd_id);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_get_pcd_id_no_id_type);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_get_pcd_id_no_pcd);
|
||||
|
|
@ -6171,6 +6296,7 @@ CuSuite* get_cmd_interface_system_suite ()
|
|||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_reset_counter_invalid_len);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_process_reset_counter_invalid_counter);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_supports_all_required_commands);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_issue_request_null);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_issue_request_invalid_request);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_issue_get_device_capabilities);
|
||||
SUITE_ADD_TEST (suite, cmd_interface_system_test_issue_get_device_capabilities_buf_too_small);
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@
|
|||
#include "mock/keystore_mock.h"
|
||||
#include "engines/x509_testing_engine.h"
|
||||
#include "engines/rsa_testing_engine.h"
|
||||
#include "engines/ecc_testing_engine.h"
|
||||
#include "riot_core_testing.h"
|
||||
#include "mock/recovery_image_manager_mock.h"
|
||||
|
||||
|
|
@ -25,6 +26,7 @@ static const char *SUITE = "config_reset";
|
|||
struct config_reset_testing_keys {
|
||||
X509_TESTING_ENGINE x509; /**< X.509 engine for RIoT certificates. */
|
||||
RSA_TESTING_ENGINE rsa; /**< RSA engine for auxiliary attestation. */
|
||||
ECC_TESTING_ENGINE ecc; /**< ECC engine for auxiliary attestation. */
|
||||
struct keystore_mock riot_keystore; /**< Keystore for RIoT keys. */
|
||||
struct riot_key_manager riot; /**< RIoT keys. */
|
||||
struct keystore_mock aux_keystore; /**< Keystore for attestation keys. */
|
||||
|
|
@ -63,6 +65,9 @@ static void config_reset_testing_init_attestation_keys (CuTest *test,
|
|||
status = RSA_TESTING_ENGINE_INIT (&keys->rsa);
|
||||
CuAssertIntEquals (test, 0, status);
|
||||
|
||||
status = ECC_TESTING_ENGINE_INIT (&keys->ecc);
|
||||
CuAssertIntEquals (test, 0, status);
|
||||
|
||||
status = keystore_mock_init (&keys->riot_keystore);
|
||||
CuAssertIntEquals (test, 0, status);
|
||||
|
||||
|
|
@ -80,7 +85,8 @@ static void config_reset_testing_init_attestation_keys (CuTest *test,
|
|||
&keys->x509.base);
|
||||
CuAssertIntEquals (test, 0, status);
|
||||
|
||||
status = aux_attestation_init (&keys->aux, &keys->aux_keystore.base, &keys->rsa.base);
|
||||
status = aux_attestation_init (&keys->aux, &keys->aux_keystore.base, &keys->rsa.base,
|
||||
&keys->riot, &keys->ecc.base);
|
||||
CuAssertIntEquals (test, 0, status);
|
||||
|
||||
status = mock_validate (&keys->riot_keystore.mock);
|
||||
|
|
@ -112,6 +118,7 @@ static void config_reset_testing_release_attestation_keys (CuTest *test,
|
|||
|
||||
X509_TESTING_ENGINE_RELEASE (&keys->x509);
|
||||
RSA_TESTING_ENGINE_RELEASE (&keys->rsa);
|
||||
ECC_TESTING_ENGINE_RELEASE (&keys->ecc);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,39 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIG5AIBAAKCAYEAw79NCAgl6qpyN83jCAHxYhJzNf9IcnUX+unKpS8RgxNkf4+e
|
||||
AeXEXojYxLV5YQZM7rg137lPdQ5hrNY9fyprbsAnqzxsrFD0G0evNh4QP0SNniPT
|
||||
EvbQJ6kuzoCh4udF4x7T5NSsfRyXDYOdkemxj8L1VB/85gzPBbFFvyYDpZfTJKuf
|
||||
/C/B2rQD4Q+DK8/rbWjVpZzi+hjDc15K9wNpWK0LTBuU+GgXo/u8aM5TjUzxvNzU
|
||||
7ovUytceuqt/Xm2SmfvmJorx7NkvQwFFYWfdXqwKxIdXzs4fc5CNlBj3f0TvTcGW
|
||||
FJ7Ycp8UOgzTCRaKf4dPprdFc7ws8YHltjz5OShRQGrAkdL6W3tGguQbyZoXXnFT
|
||||
LZQ8K40TsA1qC2wKDXyIz19ZWRIFWVnPKObNgbe7xKLF9m67D8QGwByuUzThb6u1
|
||||
7Wq0PomJeZmLBqn1/571Yk0z7fTpYe5ckieSHIBfjU4wMt876ZPY44RJe/td4JYL
|
||||
MTCP/FC7DkI2lFB1AgMBAAECggGASUaSeoA6WWcmzJcI9tVrW9AWSs9eemI08NuV
|
||||
3VIKVyvqQgosFv/BC7ZklvZsEpL+N5rDqBVBlksk60Njz/e8McBC2UoMUFEZoCCs
|
||||
iTCl2lk6Pkmg2QeFkmM1v13NvBfhRI0kuxOV4lvSe9+aG6YErxFHLw+uZxvCX5ol
|
||||
xtFfKhz0kFSi1g+2nL0oepaI/tydf95vo8hf+0lL2SMiIuenBuf4Q6xLjtXAi8VP
|
||||
mVgrVMjJ8W4lU4sKxEfVHAHY8ytGvmOMv29Jj2noIWLDL9mXKiH1FwU7x8eTeBPi
|
||||
VLe8UhWT9fWZ6uvgzSKe7NX5t/i/K6di6wyC1V6GXaVtFHmq/UXu6Rn1lwrjYCR0
|
||||
KRIhj8Qjr/cdBcp1psbVEysSecp3p1o6+W0hbigRSIts9Y5q2cB4HpcQg2iZgzFa
|
||||
iNUj6Tr8ovemAkRYitBjLGPO2VMCWho79WSNXjpJ3pff5LBFqigQAKrOYBDaDNew
|
||||
ml1GqMrfTkHweCAnYIpSnADfwijhAoHBAPeoniRTnSfL5r1Jtnv0+jIQXQQGg4r4
|
||||
bmcvnUOD/5Dnbz42ETOQvJNOgg6QSNNB+kPMqIsT0RhMLK0j6ZivSn+Aogm71FBL
|
||||
Z7yhfrB/eLchQkZ5JYVLPBRWHNNbVZucXHv10crjfR7/UJ3+f1ERKmn90eDweEzm
|
||||
qFi7oJqXtuskoeuBpoXZk6Bxv0XDBXQpNBhg5lEwEKTwFLALKPoV8Ywc2CJcjCaH
|
||||
g0zFpXQ3hPy9+dxLUgczSvD9e2qEyg7HzQKBwQDKVxau1I3fbS9cVU6xuaV/DZ2G
|
||||
oLW+INoNAEaYSj5buWvHsdZe1FK6hEvYGh9QwgzlKmT3hMxFzVrJyk1c4A0MD3fg
|
||||
eKdwCHXnPVOaRWNjjfKs8MUJrgF8iw+XxXto924wSM0UnXj/hye35TRDh4mxOybJ
|
||||
e2d2fj6F4BIkutA1hIv2hzEu7CSPbr6EiAxz5hgoPvH3vb6HJD0rqm4zfCH+jZnW
|
||||
lQfJW8d0RLysoI9Mj/C6+Tq5Lmm3O7dd1NJNs0kCgcEAzg59hbwMBhCg6t1p97jc
|
||||
cssqmS7SQ85wDWqQbpxlByuIYzqZFU5XmDi5/WQPM7axg7fEg/L5Bj5a7bPzqBYw
|
||||
5eUg7PharnQO2+OChVeKGNSTUA98KGtwkXsUgMZ9c/uk936QDz8325KSgOI/DDQ8
|
||||
FfQZrA5oCZPgffOerQGOMBdKoag95SAitFvvyRt6bivaLG5zMxnKv3EBxXeDoJCh
|
||||
aPKW4gAem/AkTrwj7Y5EGAX43lHM7jC/KcO96+KQO7wBAoHBAI1h1u6ohM2GfF5X
|
||||
GVqj7pjdiaGFcBh+2f3VoH5O+k2bPU1W3QR79aZwRJKmhhUm0l3ahpxRRW7Ms9Bm
|
||||
NDJeN5+iu0+03sIwlznRpzYXn//zMotW3UcLN+yvOmEBU18f7PV+GRZ7hg1+gelE
|
||||
FYXOEg8t1sdYHA423jcrP2I8yrlqeWX0RxCTXmR+rE7sxU7Ci0Sr3uUNxzCkyL1X
|
||||
JBODfDli9ghzL/Kp169NTEyPEDIeLcZn2XmFjcbDyjedOqmiSQKBwF/sDcJDMK+n
|
||||
XSM2ugcc1M7jNzzEPr8gqD6Of81uPg6XxFM8yATINs6kf227uAgOaW2gTOo7mu4/
|
||||
du7kxSEAxNFyvG3VojCyXlkgAgytwIKqREOi68eLO5eas9VRJdV2S8dEcHseHQeO
|
||||
peFbzBS9IEsbg5SkVVd5dT8OzuUwWowrg+tc6zJUHIW54vBF7oNsfxBubPx+7xSY
|
||||
jbWcpYCEPyuG9vrA4AEMlkeJbAxPbNhWEziQHX5WjrKj5TYyQr/R4g==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAw79NCAgl6qpyN83jCAHx
|
||||
YhJzNf9IcnUX+unKpS8RgxNkf4+eAeXEXojYxLV5YQZM7rg137lPdQ5hrNY9fypr
|
||||
bsAnqzxsrFD0G0evNh4QP0SNniPTEvbQJ6kuzoCh4udF4x7T5NSsfRyXDYOdkemx
|
||||
j8L1VB/85gzPBbFFvyYDpZfTJKuf/C/B2rQD4Q+DK8/rbWjVpZzi+hjDc15K9wNp
|
||||
WK0LTBuU+GgXo/u8aM5TjUzxvNzU7ovUytceuqt/Xm2SmfvmJorx7NkvQwFFYWfd
|
||||
XqwKxIdXzs4fc5CNlBj3f0TvTcGWFJ7Ycp8UOgzTCRaKf4dPprdFc7ws8YHltjz5
|
||||
OShRQGrAkdL6W3tGguQbyZoXXnFTLZQ8K40TsA1qC2wKDXyIz19ZWRIFWVnPKObN
|
||||
gbe7xKLF9m67D8QGwByuUzThb6u17Wq0PomJeZmLBqn1/571Yk0z7fTpYe5ckieS
|
||||
HIBfjU4wMt876ZPY44RJe/td4JYLMTCP/FC7DkI2lFB1AgMBAAE=
|
||||
-----END PUBLIC KEY-----
|
||||
|
|
@ -301,7 +301,7 @@ static void mctp_interface_control_test_process_get_vendor_def_msg_support (CuTe
|
|||
CuAssertIntEquals (test, 0, response->vid_set_selector);
|
||||
CuAssertIntEquals (test, 0, response->vid_format);
|
||||
CuAssertIntEquals (test, 0x1414, response->vid);
|
||||
CuAssertIntEquals (test, 0x200, response->protocol_version);
|
||||
CuAssertIntEquals (test, 0x0300, response->protocol_version);
|
||||
CuAssertIntEquals (test, false, request.new_request);
|
||||
CuAssertIntEquals (test, false, request.crypto_timeout);
|
||||
|
||||
|
|
@ -380,7 +380,7 @@ static void mctp_interface_control_test_process_get_vendor_def_msg_support_vid_e
|
|||
CuAssertIntEquals (test, 0, response->vid_set_selector);
|
||||
CuAssertIntEquals (test, 0, response->vid_format);
|
||||
CuAssertIntEquals (test, 0xFF00, response->vid);
|
||||
CuAssertIntEquals (test, 0x200, response->protocol_version);
|
||||
CuAssertIntEquals (test, 0x0300, response->protocol_version);
|
||||
CuAssertIntEquals (test, false, request.new_request);
|
||||
CuAssertIntEquals (test, false, request.crypto_timeout);
|
||||
|
||||
|
|
|
|||
|
|
@ -46,9 +46,11 @@ static int attestation_slave_mock_challenge_response (struct attestation_slave *
|
|||
}
|
||||
|
||||
static int attestation_slave_mock_aux_attestation_unseal (struct attestation_slave *attestation,
|
||||
struct hash_engine *hash, const uint8_t *seed, size_t seed_length, const uint8_t *hmac,
|
||||
const uint8_t *ciphertext, size_t cipher_length, const uint8_t *sealing, uint8_t *key,
|
||||
size_t key_length, uint8_t platform_pcr)
|
||||
struct hash_engine *hash, enum aux_attestation_key_length key_type, const uint8_t *seed,
|
||||
size_t seed_length, enum aux_attestation_seed_type seed_type,
|
||||
enum aux_attestation_seed_padding seed_padding, const uint8_t *hmac, enum hmac_hash hmac_type,
|
||||
const uint8_t *ciphertext, size_t cipher_length, const uint8_t sealing[][64], size_t pcr_count,
|
||||
uint8_t *key, size_t key_length)
|
||||
{
|
||||
struct attestation_slave_mock *mock = (struct attestation_slave_mock*) attestation;
|
||||
|
||||
|
|
@ -57,10 +59,11 @@ static int attestation_slave_mock_aux_attestation_unseal (struct attestation_sla
|
|||
}
|
||||
|
||||
MOCK_RETURN (&mock->mock, attestation_slave_mock_aux_attestation_unseal, attestation,
|
||||
MOCK_ARG_CALL (hash), MOCK_ARG_CALL (seed), MOCK_ARG_CALL (seed_length),
|
||||
MOCK_ARG_CALL (hmac), MOCK_ARG_CALL (ciphertext), MOCK_ARG_CALL (cipher_length),
|
||||
MOCK_ARG_CALL (sealing), MOCK_ARG_CALL (key), MOCK_ARG_CALL (key_length),
|
||||
MOCK_ARG_CALL (platform_pcr));
|
||||
MOCK_ARG_CALL (hash), MOCK_ARG_CALL (key_type), MOCK_ARG_CALL (seed),
|
||||
MOCK_ARG_CALL (seed_length), MOCK_ARG_CALL (seed_type), MOCK_ARG_CALL (seed_padding),
|
||||
MOCK_ARG_CALL (hmac), MOCK_ARG_CALL (hmac_type), MOCK_ARG_CALL (ciphertext),
|
||||
MOCK_ARG_CALL (cipher_length), MOCK_ARG_CALL (sealing), MOCK_ARG_CALL (pcr_count),
|
||||
MOCK_ARG_CALL (key), MOCK_ARG_CALL (key_length));
|
||||
}
|
||||
|
||||
static int attestation_slave_mock_aux_decrypt (struct attestation_slave *attestation,
|
||||
|
|
@ -82,7 +85,7 @@ static int attestation_slave_mock_aux_decrypt (struct attestation_slave *attesta
|
|||
static int attestation_slave_mock_func_arg_count (void *func)
|
||||
{
|
||||
if (func == attestation_slave_mock_aux_attestation_unseal) {
|
||||
return 10;
|
||||
return 14;
|
||||
}
|
||||
else if (func == attestation_slave_mock_aux_decrypt) {
|
||||
return 7;
|
||||
|
|
@ -171,31 +174,43 @@ static const char* attestation_slave_mock_arg_name_map (void *func, int arg)
|
|||
return "hash";
|
||||
|
||||
case 1:
|
||||
return "seed";
|
||||
return "key_type";
|
||||
|
||||
case 2:
|
||||
return "seed_length";
|
||||
return "seed";
|
||||
|
||||
case 3:
|
||||
return "hmac";
|
||||
return "seed_length";
|
||||
|
||||
case 4:
|
||||
return "ciphertext";
|
||||
return "seed_type";
|
||||
|
||||
case 5:
|
||||
return "cipher_length";
|
||||
return "seed_padding";
|
||||
|
||||
case 6:
|
||||
return "sealing";
|
||||
return "hmac";
|
||||
|
||||
case 7:
|
||||
return "key";
|
||||
return "hmac_type";
|
||||
|
||||
case 8:
|
||||
return "key_length";
|
||||
return "ciphertext";
|
||||
|
||||
case 9:
|
||||
return "platform_pcr";
|
||||
return "cipher_length";
|
||||
|
||||
case 10:
|
||||
return "sealing";
|
||||
|
||||
case 11:
|
||||
return "pcr_count";
|
||||
|
||||
case 12:
|
||||
return "key";
|
||||
|
||||
case 13:
|
||||
return "key_length";
|
||||
|
||||
default:
|
||||
return "unknown";
|
||||
|
|
|
|||
|
|
@ -7,9 +7,8 @@
|
|||
#include "cmd_background_mock.h"
|
||||
|
||||
|
||||
static int cmd_background_mock_unseal_start (struct cmd_background *cmd, const uint8_t *seed,
|
||||
size_t seed_length, const uint8_t *hmac, const uint8_t *ciphertext, size_t cipher_length,
|
||||
const uint8_t *sealing, uint8_t platform_pcr)
|
||||
static int cmd_background_mock_unseal_start (struct cmd_background *cmd,
|
||||
const uint8_t *unseal_request, size_t length)
|
||||
{
|
||||
struct cmd_background_mock *mock = (struct cmd_background_mock*) cmd;
|
||||
|
||||
|
|
@ -17,9 +16,8 @@ static int cmd_background_mock_unseal_start (struct cmd_background *cmd, const u
|
|||
return MOCK_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
MOCK_RETURN (&mock->mock, cmd_background_mock_unseal_start, cmd, MOCK_ARG_CALL (seed),
|
||||
MOCK_ARG_CALL (seed_length), MOCK_ARG_CALL (hmac), MOCK_ARG_CALL (ciphertext),
|
||||
MOCK_ARG_CALL (cipher_length), MOCK_ARG_CALL (sealing), MOCK_ARG_CALL (platform_pcr));
|
||||
MOCK_RETURN (&mock->mock, cmd_background_mock_unseal_start, cmd, MOCK_ARG_CALL (unseal_request),
|
||||
MOCK_ARG_CALL (length));
|
||||
}
|
||||
|
||||
static int cmd_background_mock_unseal_result (struct cmd_background *cmd, uint8_t *key,
|
||||
|
|
@ -114,12 +112,12 @@ static int cmd_background_mock_get_riot_cert_chain_state (struct cmd_background
|
|||
|
||||
static int cmd_background_mock_func_arg_count (void *func)
|
||||
{
|
||||
if (func == cmd_background_mock_unseal_start) {
|
||||
return 7;
|
||||
}
|
||||
else if (func == cmd_background_mock_unseal_result) {
|
||||
if (func == cmd_background_mock_unseal_result) {
|
||||
return 3;
|
||||
}
|
||||
else if (func == cmd_background_mock_unseal_start) {
|
||||
return 2;
|
||||
}
|
||||
else {
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -164,25 +162,10 @@ static const char* cmd_background_mock_arg_name_map (void *func, int arg)
|
|||
if (func == cmd_background_mock_unseal_start) {
|
||||
switch (arg) {
|
||||
case 0:
|
||||
return "seed";
|
||||
return "unseal_request";
|
||||
|
||||
case 1:
|
||||
return "seed_length";
|
||||
|
||||
case 2:
|
||||
return "hmac";
|
||||
|
||||
case 3:
|
||||
return "ciphertext";
|
||||
|
||||
case 4:
|
||||
return "cipher_length";
|
||||
|
||||
case 5:
|
||||
return "sealing";
|
||||
|
||||
case 6:
|
||||
return "platform_pcr";
|
||||
return "length";
|
||||
}
|
||||
}
|
||||
else if (func == cmd_background_mock_unseal_result) {
|
||||
|
|
|
|||
|
|
@ -158,7 +158,7 @@ static int ecc_mock_compute_shared_secret (struct ecc_engine *engine,
|
|||
return MOCK_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
MOCK_RETURN (&mock->mock, ecc_mock_verify, engine, MOCK_ARG_CALL (priv_key),
|
||||
MOCK_RETURN (&mock->mock, ecc_mock_compute_shared_secret, engine, MOCK_ARG_CALL (priv_key),
|
||||
MOCK_ARG_CALL (pub_key), MOCK_ARG_CALL (secret), MOCK_ARG_CALL (length));
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1123,6 +1123,243 @@ const uint8_t RSA_SIGNATURE3_BAD[] = {
|
|||
0x65,0xa5,0xb3,0x24,0xa2,0x50,0x64,0x95,0x63,0xbb,0x78,0xed,0x81,0xfa,0x95,0xad
|
||||
};
|
||||
|
||||
#if (RSA_MAX_KEY_LENGTH >= RSA_KEY_LENGTH_3K)
|
||||
const struct rsa_public_key RSA3K_PUBLIC_KEY = {
|
||||
.modulus = {
|
||||
0xc3,0xbf,0x4d,0x08,0x08,0x25,0xea,0xaa,0x72,0x37,0xcd,0xe3,0x08,0x01,0xf1,0x62,
|
||||
0x12,0x73,0x35,0xff,0x48,0x72,0x75,0x17,0xfa,0xe9,0xca,0xa5,0x2f,0x11,0x83,0x13,
|
||||
0x64,0x7f,0x8f,0x9e,0x01,0xe5,0xc4,0x5e,0x88,0xd8,0xc4,0xb5,0x79,0x61,0x06,0x4c,
|
||||
0xee,0xb8,0x35,0xdf,0xb9,0x4f,0x75,0x0e,0x61,0xac,0xd6,0x3d,0x7f,0x2a,0x6b,0x6e,
|
||||
0xc0,0x27,0xab,0x3c,0x6c,0xac,0x50,0xf4,0x1b,0x47,0xaf,0x36,0x1e,0x10,0x3f,0x44,
|
||||
0x8d,0x9e,0x23,0xd3,0x12,0xf6,0xd0,0x27,0xa9,0x2e,0xce,0x80,0xa1,0xe2,0xe7,0x45,
|
||||
0xe3,0x1e,0xd3,0xe4,0xd4,0xac,0x7d,0x1c,0x97,0x0d,0x83,0x9d,0x91,0xe9,0xb1,0x8f,
|
||||
0xc2,0xf5,0x54,0x1f,0xfc,0xe6,0x0c,0xcf,0x05,0xb1,0x45,0xbf,0x26,0x03,0xa5,0x97,
|
||||
0xd3,0x24,0xab,0x9f,0xfc,0x2f,0xc1,0xda,0xb4,0x03,0xe1,0x0f,0x83,0x2b,0xcf,0xeb,
|
||||
0x6d,0x68,0xd5,0xa5,0x9c,0xe2,0xfa,0x18,0xc3,0x73,0x5e,0x4a,0xf7,0x03,0x69,0x58,
|
||||
0xad,0x0b,0x4c,0x1b,0x94,0xf8,0x68,0x17,0xa3,0xfb,0xbc,0x68,0xce,0x53,0x8d,0x4c,
|
||||
0xf1,0xbc,0xdc,0xd4,0xee,0x8b,0xd4,0xca,0xd7,0x1e,0xba,0xab,0x7f,0x5e,0x6d,0x92,
|
||||
0x99,0xfb,0xe6,0x26,0x8a,0xf1,0xec,0xd9,0x2f,0x43,0x01,0x45,0x61,0x67,0xdd,0x5e,
|
||||
0xac,0x0a,0xc4,0x87,0x57,0xce,0xce,0x1f,0x73,0x90,0x8d,0x94,0x18,0xf7,0x7f,0x44,
|
||||
0xef,0x4d,0xc1,0x96,0x14,0x9e,0xd8,0x72,0x9f,0x14,0x3a,0x0c,0xd3,0x09,0x16,0x8a,
|
||||
0x7f,0x87,0x4f,0xa6,0xb7,0x45,0x73,0xbc,0x2c,0xf1,0x81,0xe5,0xb6,0x3c,0xf9,0x39,
|
||||
0x28,0x51,0x40,0x6a,0xc0,0x91,0xd2,0xfa,0x5b,0x7b,0x46,0x82,0xe4,0x1b,0xc9,0x9a,
|
||||
0x17,0x5e,0x71,0x53,0x2d,0x94,0x3c,0x2b,0x8d,0x13,0xb0,0x0d,0x6a,0x0b,0x6c,0x0a,
|
||||
0x0d,0x7c,0x88,0xcf,0x5f,0x59,0x59,0x12,0x05,0x59,0x59,0xcf,0x28,0xe6,0xcd,0x81,
|
||||
0xb7,0xbb,0xc4,0xa2,0xc5,0xf6,0x6e,0xbb,0x0f,0xc4,0x06,0xc0,0x1c,0xae,0x53,0x34,
|
||||
0xe1,0x6f,0xab,0xb5,0xed,0x6a,0xb4,0x3e,0x89,0x89,0x79,0x99,0x8b,0x06,0xa9,0xf5,
|
||||
0xff,0x9e,0xf5,0x62,0x4d,0x33,0xed,0xf4,0xe9,0x61,0xee,0x5c,0x92,0x27,0x92,0x1c,
|
||||
0x80,0x5f,0x8d,0x4e,0x30,0x32,0xdf,0x3b,0xe9,0x93,0xd8,0xe3,0x84,0x49,0x7b,0xfb,
|
||||
0x5d,0xe0,0x96,0x0b,0x31,0x30,0x8f,0xfc,0x50,0xbb,0x0e,0x42,0x36,0x94,0x50,0x75
|
||||
},
|
||||
.mod_length = 384,
|
||||
.exponent = 65537
|
||||
};
|
||||
#endif
|
||||
|
||||
const char RSA3K_PUBKEY_PEM[] = "-----BEGIN PUBLIC KEY-----\n"
|
||||
"MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAw79NCAgl6qpyN83jCAHx"
|
||||
"YhJzNf9IcnUX+unKpS8RgxNkf4+eAeXEXojYxLV5YQZM7rg137lPdQ5hrNY9fypr"
|
||||
"bsAnqzxsrFD0G0evNh4QP0SNniPTEvbQJ6kuzoCh4udF4x7T5NSsfRyXDYOdkemx"
|
||||
"j8L1VB/85gzPBbFFvyYDpZfTJKuf/C/B2rQD4Q+DK8/rbWjVpZzi+hjDc15K9wNp"
|
||||
"WK0LTBuU+GgXo/u8aM5TjUzxvNzU7ovUytceuqt/Xm2SmfvmJorx7NkvQwFFYWfd"
|
||||
"XqwKxIdXzs4fc5CNlBj3f0TvTcGWFJ7Ycp8UOgzTCRaKf4dPprdFc7ws8YHltjz5"
|
||||
"OShRQGrAkdL6W3tGguQbyZoXXnFTLZQ8K40TsA1qC2wKDXyIz19ZWRIFWVnPKObN"
|
||||
"gbe7xKLF9m67D8QGwByuUzThb6u17Wq0PomJeZmLBqn1/571Yk0z7fTpYe5ckieS"
|
||||
"HIBfjU4wMt876ZPY44RJe/td4JYLMTCP/FC7DkI2lFB1AgMBAAE=\n"
|
||||
"-----END PUBLIC KEY-----\n";
|
||||
|
||||
const size_t RSA3K_PUBKEY_PEM_LEN = sizeof (RSA3K_PUBKEY_PEM);
|
||||
|
||||
const uint8_t RSA3K_PUBKEY_DER[] = {
|
||||
0x30,0x82,0x01,0xa2,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
|
||||
0x01,0x05,0x00,0x03,0x82,0x01,0x8f,0x00,0x30,0x82,0x01,0x8a,0x02,0x82,0x01,0x81,
|
||||
0x00,0xc3,0xbf,0x4d,0x08,0x08,0x25,0xea,0xaa,0x72,0x37,0xcd,0xe3,0x08,0x01,0xf1,
|
||||
0x62,0x12,0x73,0x35,0xff,0x48,0x72,0x75,0x17,0xfa,0xe9,0xca,0xa5,0x2f,0x11,0x83,
|
||||
0x13,0x64,0x7f,0x8f,0x9e,0x01,0xe5,0xc4,0x5e,0x88,0xd8,0xc4,0xb5,0x79,0x61,0x06,
|
||||
0x4c,0xee,0xb8,0x35,0xdf,0xb9,0x4f,0x75,0x0e,0x61,0xac,0xd6,0x3d,0x7f,0x2a,0x6b,
|
||||
0x6e,0xc0,0x27,0xab,0x3c,0x6c,0xac,0x50,0xf4,0x1b,0x47,0xaf,0x36,0x1e,0x10,0x3f,
|
||||
0x44,0x8d,0x9e,0x23,0xd3,0x12,0xf6,0xd0,0x27,0xa9,0x2e,0xce,0x80,0xa1,0xe2,0xe7,
|
||||
0x45,0xe3,0x1e,0xd3,0xe4,0xd4,0xac,0x7d,0x1c,0x97,0x0d,0x83,0x9d,0x91,0xe9,0xb1,
|
||||
0x8f,0xc2,0xf5,0x54,0x1f,0xfc,0xe6,0x0c,0xcf,0x05,0xb1,0x45,0xbf,0x26,0x03,0xa5,
|
||||
0x97,0xd3,0x24,0xab,0x9f,0xfc,0x2f,0xc1,0xda,0xb4,0x03,0xe1,0x0f,0x83,0x2b,0xcf,
|
||||
0xeb,0x6d,0x68,0xd5,0xa5,0x9c,0xe2,0xfa,0x18,0xc3,0x73,0x5e,0x4a,0xf7,0x03,0x69,
|
||||
0x58,0xad,0x0b,0x4c,0x1b,0x94,0xf8,0x68,0x17,0xa3,0xfb,0xbc,0x68,0xce,0x53,0x8d,
|
||||
0x4c,0xf1,0xbc,0xdc,0xd4,0xee,0x8b,0xd4,0xca,0xd7,0x1e,0xba,0xab,0x7f,0x5e,0x6d,
|
||||
0x92,0x99,0xfb,0xe6,0x26,0x8a,0xf1,0xec,0xd9,0x2f,0x43,0x01,0x45,0x61,0x67,0xdd,
|
||||
0x5e,0xac,0x0a,0xc4,0x87,0x57,0xce,0xce,0x1f,0x73,0x90,0x8d,0x94,0x18,0xf7,0x7f,
|
||||
0x44,0xef,0x4d,0xc1,0x96,0x14,0x9e,0xd8,0x72,0x9f,0x14,0x3a,0x0c,0xd3,0x09,0x16,
|
||||
0x8a,0x7f,0x87,0x4f,0xa6,0xb7,0x45,0x73,0xbc,0x2c,0xf1,0x81,0xe5,0xb6,0x3c,0xf9,
|
||||
0x39,0x28,0x51,0x40,0x6a,0xc0,0x91,0xd2,0xfa,0x5b,0x7b,0x46,0x82,0xe4,0x1b,0xc9,
|
||||
0x9a,0x17,0x5e,0x71,0x53,0x2d,0x94,0x3c,0x2b,0x8d,0x13,0xb0,0x0d,0x6a,0x0b,0x6c,
|
||||
0x0a,0x0d,0x7c,0x88,0xcf,0x5f,0x59,0x59,0x12,0x05,0x59,0x59,0xcf,0x28,0xe6,0xcd,
|
||||
0x81,0xb7,0xbb,0xc4,0xa2,0xc5,0xf6,0x6e,0xbb,0x0f,0xc4,0x06,0xc0,0x1c,0xae,0x53,
|
||||
0x34,0xe1,0x6f,0xab,0xb5,0xed,0x6a,0xb4,0x3e,0x89,0x89,0x79,0x99,0x8b,0x06,0xa9,
|
||||
0xf5,0xff,0x9e,0xf5,0x62,0x4d,0x33,0xed,0xf4,0xe9,0x61,0xee,0x5c,0x92,0x27,0x92,
|
||||
0x1c,0x80,0x5f,0x8d,0x4e,0x30,0x32,0xdf,0x3b,0xe9,0x93,0xd8,0xe3,0x84,0x49,0x7b,
|
||||
0xfb,0x5d,0xe0,0x96,0x0b,0x31,0x30,0x8f,0xfc,0x50,0xbb,0x0e,0x42,0x36,0x94,0x50,
|
||||
0x75,0x02,0x03,0x01,0x00,0x01
|
||||
};
|
||||
|
||||
const size_t RSA3K_PUBKEY_DER_LEN = sizeof (RSA3K_PUBKEY_DER);
|
||||
|
||||
const char RSA3K_PRIVKEY_PEM[] = "-----BEGIN RSA PRIVATE KEY-----\n"
|
||||
"MIIG5AIBAAKCAYEAw79NCAgl6qpyN83jCAHxYhJzNf9IcnUX+unKpS8RgxNkf4+e"
|
||||
"AeXEXojYxLV5YQZM7rg137lPdQ5hrNY9fyprbsAnqzxsrFD0G0evNh4QP0SNniPT"
|
||||
"EvbQJ6kuzoCh4udF4x7T5NSsfRyXDYOdkemxj8L1VB/85gzPBbFFvyYDpZfTJKuf"
|
||||
"/C/B2rQD4Q+DK8/rbWjVpZzi+hjDc15K9wNpWK0LTBuU+GgXo/u8aM5TjUzxvNzU"
|
||||
"7ovUytceuqt/Xm2SmfvmJorx7NkvQwFFYWfdXqwKxIdXzs4fc5CNlBj3f0TvTcGW"
|
||||
"FJ7Ycp8UOgzTCRaKf4dPprdFc7ws8YHltjz5OShRQGrAkdL6W3tGguQbyZoXXnFT"
|
||||
"LZQ8K40TsA1qC2wKDXyIz19ZWRIFWVnPKObNgbe7xKLF9m67D8QGwByuUzThb6u1"
|
||||
"7Wq0PomJeZmLBqn1/571Yk0z7fTpYe5ckieSHIBfjU4wMt876ZPY44RJe/td4JYL"
|
||||
"MTCP/FC7DkI2lFB1AgMBAAECggGASUaSeoA6WWcmzJcI9tVrW9AWSs9eemI08NuV"
|
||||
"3VIKVyvqQgosFv/BC7ZklvZsEpL+N5rDqBVBlksk60Njz/e8McBC2UoMUFEZoCCs"
|
||||
"iTCl2lk6Pkmg2QeFkmM1v13NvBfhRI0kuxOV4lvSe9+aG6YErxFHLw+uZxvCX5ol"
|
||||
"xtFfKhz0kFSi1g+2nL0oepaI/tydf95vo8hf+0lL2SMiIuenBuf4Q6xLjtXAi8VP"
|
||||
"mVgrVMjJ8W4lU4sKxEfVHAHY8ytGvmOMv29Jj2noIWLDL9mXKiH1FwU7x8eTeBPi"
|
||||
"VLe8UhWT9fWZ6uvgzSKe7NX5t/i/K6di6wyC1V6GXaVtFHmq/UXu6Rn1lwrjYCR0"
|
||||
"KRIhj8Qjr/cdBcp1psbVEysSecp3p1o6+W0hbigRSIts9Y5q2cB4HpcQg2iZgzFa"
|
||||
"iNUj6Tr8ovemAkRYitBjLGPO2VMCWho79WSNXjpJ3pff5LBFqigQAKrOYBDaDNew"
|
||||
"ml1GqMrfTkHweCAnYIpSnADfwijhAoHBAPeoniRTnSfL5r1Jtnv0+jIQXQQGg4r4"
|
||||
"bmcvnUOD/5Dnbz42ETOQvJNOgg6QSNNB+kPMqIsT0RhMLK0j6ZivSn+Aogm71FBL"
|
||||
"Z7yhfrB/eLchQkZ5JYVLPBRWHNNbVZucXHv10crjfR7/UJ3+f1ERKmn90eDweEzm"
|
||||
"qFi7oJqXtuskoeuBpoXZk6Bxv0XDBXQpNBhg5lEwEKTwFLALKPoV8Ywc2CJcjCaH"
|
||||
"g0zFpXQ3hPy9+dxLUgczSvD9e2qEyg7HzQKBwQDKVxau1I3fbS9cVU6xuaV/DZ2G"
|
||||
"oLW+INoNAEaYSj5buWvHsdZe1FK6hEvYGh9QwgzlKmT3hMxFzVrJyk1c4A0MD3fg"
|
||||
"eKdwCHXnPVOaRWNjjfKs8MUJrgF8iw+XxXto924wSM0UnXj/hye35TRDh4mxOybJ"
|
||||
"e2d2fj6F4BIkutA1hIv2hzEu7CSPbr6EiAxz5hgoPvH3vb6HJD0rqm4zfCH+jZnW"
|
||||
"lQfJW8d0RLysoI9Mj/C6+Tq5Lmm3O7dd1NJNs0kCgcEAzg59hbwMBhCg6t1p97jc"
|
||||
"cssqmS7SQ85wDWqQbpxlByuIYzqZFU5XmDi5/WQPM7axg7fEg/L5Bj5a7bPzqBYw"
|
||||
"5eUg7PharnQO2+OChVeKGNSTUA98KGtwkXsUgMZ9c/uk936QDz8325KSgOI/DDQ8"
|
||||
"FfQZrA5oCZPgffOerQGOMBdKoag95SAitFvvyRt6bivaLG5zMxnKv3EBxXeDoJCh"
|
||||
"aPKW4gAem/AkTrwj7Y5EGAX43lHM7jC/KcO96+KQO7wBAoHBAI1h1u6ohM2GfF5X"
|
||||
"GVqj7pjdiaGFcBh+2f3VoH5O+k2bPU1W3QR79aZwRJKmhhUm0l3ahpxRRW7Ms9Bm"
|
||||
"NDJeN5+iu0+03sIwlznRpzYXn//zMotW3UcLN+yvOmEBU18f7PV+GRZ7hg1+gelE"
|
||||
"FYXOEg8t1sdYHA423jcrP2I8yrlqeWX0RxCTXmR+rE7sxU7Ci0Sr3uUNxzCkyL1X"
|
||||
"JBODfDli9ghzL/Kp169NTEyPEDIeLcZn2XmFjcbDyjedOqmiSQKBwF/sDcJDMK+n"
|
||||
"XSM2ugcc1M7jNzzEPr8gqD6Of81uPg6XxFM8yATINs6kf227uAgOaW2gTOo7mu4/"
|
||||
"du7kxSEAxNFyvG3VojCyXlkgAgytwIKqREOi68eLO5eas9VRJdV2S8dEcHseHQeO"
|
||||
"peFbzBS9IEsbg5SkVVd5dT8OzuUwWowrg+tc6zJUHIW54vBF7oNsfxBubPx+7xSY"
|
||||
"jbWcpYCEPyuG9vrA4AEMlkeJbAxPbNhWEziQHX5WjrKj5TYyQr/R4g==\n"
|
||||
"-----END RSA PRIVATE KEY-----\n";
|
||||
|
||||
const size_t RSA3K_PRIVKEY_PEM_LEN = sizeof (RSA3K_PRIVKEY_PEM);
|
||||
|
||||
const uint8_t RSA3K_PRIVKEY_DER[] = {
|
||||
0x30,0x82,0x06,0xe4,0x02,0x01,0x00,0x02,0x82,0x01,0x81,0x00,0xc3,0xbf,0x4d,0x08,
|
||||
0x08,0x25,0xea,0xaa,0x72,0x37,0xcd,0xe3,0x08,0x01,0xf1,0x62,0x12,0x73,0x35,0xff,
|
||||
0x48,0x72,0x75,0x17,0xfa,0xe9,0xca,0xa5,0x2f,0x11,0x83,0x13,0x64,0x7f,0x8f,0x9e,
|
||||
0x01,0xe5,0xc4,0x5e,0x88,0xd8,0xc4,0xb5,0x79,0x61,0x06,0x4c,0xee,0xb8,0x35,0xdf,
|
||||
0xb9,0x4f,0x75,0x0e,0x61,0xac,0xd6,0x3d,0x7f,0x2a,0x6b,0x6e,0xc0,0x27,0xab,0x3c,
|
||||
0x6c,0xac,0x50,0xf4,0x1b,0x47,0xaf,0x36,0x1e,0x10,0x3f,0x44,0x8d,0x9e,0x23,0xd3,
|
||||
0x12,0xf6,0xd0,0x27,0xa9,0x2e,0xce,0x80,0xa1,0xe2,0xe7,0x45,0xe3,0x1e,0xd3,0xe4,
|
||||
0xd4,0xac,0x7d,0x1c,0x97,0x0d,0x83,0x9d,0x91,0xe9,0xb1,0x8f,0xc2,0xf5,0x54,0x1f,
|
||||
0xfc,0xe6,0x0c,0xcf,0x05,0xb1,0x45,0xbf,0x26,0x03,0xa5,0x97,0xd3,0x24,0xab,0x9f,
|
||||
0xfc,0x2f,0xc1,0xda,0xb4,0x03,0xe1,0x0f,0x83,0x2b,0xcf,0xeb,0x6d,0x68,0xd5,0xa5,
|
||||
0x9c,0xe2,0xfa,0x18,0xc3,0x73,0x5e,0x4a,0xf7,0x03,0x69,0x58,0xad,0x0b,0x4c,0x1b,
|
||||
0x94,0xf8,0x68,0x17,0xa3,0xfb,0xbc,0x68,0xce,0x53,0x8d,0x4c,0xf1,0xbc,0xdc,0xd4,
|
||||
0xee,0x8b,0xd4,0xca,0xd7,0x1e,0xba,0xab,0x7f,0x5e,0x6d,0x92,0x99,0xfb,0xe6,0x26,
|
||||
0x8a,0xf1,0xec,0xd9,0x2f,0x43,0x01,0x45,0x61,0x67,0xdd,0x5e,0xac,0x0a,0xc4,0x87,
|
||||
0x57,0xce,0xce,0x1f,0x73,0x90,0x8d,0x94,0x18,0xf7,0x7f,0x44,0xef,0x4d,0xc1,0x96,
|
||||
0x14,0x9e,0xd8,0x72,0x9f,0x14,0x3a,0x0c,0xd3,0x09,0x16,0x8a,0x7f,0x87,0x4f,0xa6,
|
||||
0xb7,0x45,0x73,0xbc,0x2c,0xf1,0x81,0xe5,0xb6,0x3c,0xf9,0x39,0x28,0x51,0x40,0x6a,
|
||||
0xc0,0x91,0xd2,0xfa,0x5b,0x7b,0x46,0x82,0xe4,0x1b,0xc9,0x9a,0x17,0x5e,0x71,0x53,
|
||||
0x2d,0x94,0x3c,0x2b,0x8d,0x13,0xb0,0x0d,0x6a,0x0b,0x6c,0x0a,0x0d,0x7c,0x88,0xcf,
|
||||
0x5f,0x59,0x59,0x12,0x05,0x59,0x59,0xcf,0x28,0xe6,0xcd,0x81,0xb7,0xbb,0xc4,0xa2,
|
||||
0xc5,0xf6,0x6e,0xbb,0x0f,0xc4,0x06,0xc0,0x1c,0xae,0x53,0x34,0xe1,0x6f,0xab,0xb5,
|
||||
0xed,0x6a,0xb4,0x3e,0x89,0x89,0x79,0x99,0x8b,0x06,0xa9,0xf5,0xff,0x9e,0xf5,0x62,
|
||||
0x4d,0x33,0xed,0xf4,0xe9,0x61,0xee,0x5c,0x92,0x27,0x92,0x1c,0x80,0x5f,0x8d,0x4e,
|
||||
0x30,0x32,0xdf,0x3b,0xe9,0x93,0xd8,0xe3,0x84,0x49,0x7b,0xfb,0x5d,0xe0,0x96,0x0b,
|
||||
0x31,0x30,0x8f,0xfc,0x50,0xbb,0x0e,0x42,0x36,0x94,0x50,0x75,0x02,0x03,0x01,0x00,
|
||||
0x01,0x02,0x82,0x01,0x80,0x49,0x46,0x92,0x7a,0x80,0x3a,0x59,0x67,0x26,0xcc,0x97,
|
||||
0x08,0xf6,0xd5,0x6b,0x5b,0xd0,0x16,0x4a,0xcf,0x5e,0x7a,0x62,0x34,0xf0,0xdb,0x95,
|
||||
0xdd,0x52,0x0a,0x57,0x2b,0xea,0x42,0x0a,0x2c,0x16,0xff,0xc1,0x0b,0xb6,0x64,0x96,
|
||||
0xf6,0x6c,0x12,0x92,0xfe,0x37,0x9a,0xc3,0xa8,0x15,0x41,0x96,0x4b,0x24,0xeb,0x43,
|
||||
0x63,0xcf,0xf7,0xbc,0x31,0xc0,0x42,0xd9,0x4a,0x0c,0x50,0x51,0x19,0xa0,0x20,0xac,
|
||||
0x89,0x30,0xa5,0xda,0x59,0x3a,0x3e,0x49,0xa0,0xd9,0x07,0x85,0x92,0x63,0x35,0xbf,
|
||||
0x5d,0xcd,0xbc,0x17,0xe1,0x44,0x8d,0x24,0xbb,0x13,0x95,0xe2,0x5b,0xd2,0x7b,0xdf,
|
||||
0x9a,0x1b,0xa6,0x04,0xaf,0x11,0x47,0x2f,0x0f,0xae,0x67,0x1b,0xc2,0x5f,0x9a,0x25,
|
||||
0xc6,0xd1,0x5f,0x2a,0x1c,0xf4,0x90,0x54,0xa2,0xd6,0x0f,0xb6,0x9c,0xbd,0x28,0x7a,
|
||||
0x96,0x88,0xfe,0xdc,0x9d,0x7f,0xde,0x6f,0xa3,0xc8,0x5f,0xfb,0x49,0x4b,0xd9,0x23,
|
||||
0x22,0x22,0xe7,0xa7,0x06,0xe7,0xf8,0x43,0xac,0x4b,0x8e,0xd5,0xc0,0x8b,0xc5,0x4f,
|
||||
0x99,0x58,0x2b,0x54,0xc8,0xc9,0xf1,0x6e,0x25,0x53,0x8b,0x0a,0xc4,0x47,0xd5,0x1c,
|
||||
0x01,0xd8,0xf3,0x2b,0x46,0xbe,0x63,0x8c,0xbf,0x6f,0x49,0x8f,0x69,0xe8,0x21,0x62,
|
||||
0xc3,0x2f,0xd9,0x97,0x2a,0x21,0xf5,0x17,0x05,0x3b,0xc7,0xc7,0x93,0x78,0x13,0xe2,
|
||||
0x54,0xb7,0xbc,0x52,0x15,0x93,0xf5,0xf5,0x99,0xea,0xeb,0xe0,0xcd,0x22,0x9e,0xec,
|
||||
0xd5,0xf9,0xb7,0xf8,0xbf,0x2b,0xa7,0x62,0xeb,0x0c,0x82,0xd5,0x5e,0x86,0x5d,0xa5,
|
||||
0x6d,0x14,0x79,0xaa,0xfd,0x45,0xee,0xe9,0x19,0xf5,0x97,0x0a,0xe3,0x60,0x24,0x74,
|
||||
0x29,0x12,0x21,0x8f,0xc4,0x23,0xaf,0xf7,0x1d,0x05,0xca,0x75,0xa6,0xc6,0xd5,0x13,
|
||||
0x2b,0x12,0x79,0xca,0x77,0xa7,0x5a,0x3a,0xf9,0x6d,0x21,0x6e,0x28,0x11,0x48,0x8b,
|
||||
0x6c,0xf5,0x8e,0x6a,0xd9,0xc0,0x78,0x1e,0x97,0x10,0x83,0x68,0x99,0x83,0x31,0x5a,
|
||||
0x88,0xd5,0x23,0xe9,0x3a,0xfc,0xa2,0xf7,0xa6,0x02,0x44,0x58,0x8a,0xd0,0x63,0x2c,
|
||||
0x63,0xce,0xd9,0x53,0x02,0x5a,0x1a,0x3b,0xf5,0x64,0x8d,0x5e,0x3a,0x49,0xde,0x97,
|
||||
0xdf,0xe4,0xb0,0x45,0xaa,0x28,0x10,0x00,0xaa,0xce,0x60,0x10,0xda,0x0c,0xd7,0xb0,
|
||||
0x9a,0x5d,0x46,0xa8,0xca,0xdf,0x4e,0x41,0xf0,0x78,0x20,0x27,0x60,0x8a,0x52,0x9c,
|
||||
0x00,0xdf,0xc2,0x28,0xe1,0x02,0x81,0xc1,0x00,0xf7,0xa8,0x9e,0x24,0x53,0x9d,0x27,
|
||||
0xcb,0xe6,0xbd,0x49,0xb6,0x7b,0xf4,0xfa,0x32,0x10,0x5d,0x04,0x06,0x83,0x8a,0xf8,
|
||||
0x6e,0x67,0x2f,0x9d,0x43,0x83,0xff,0x90,0xe7,0x6f,0x3e,0x36,0x11,0x33,0x90,0xbc,
|
||||
0x93,0x4e,0x82,0x0e,0x90,0x48,0xd3,0x41,0xfa,0x43,0xcc,0xa8,0x8b,0x13,0xd1,0x18,
|
||||
0x4c,0x2c,0xad,0x23,0xe9,0x98,0xaf,0x4a,0x7f,0x80,0xa2,0x09,0xbb,0xd4,0x50,0x4b,
|
||||
0x67,0xbc,0xa1,0x7e,0xb0,0x7f,0x78,0xb7,0x21,0x42,0x46,0x79,0x25,0x85,0x4b,0x3c,
|
||||
0x14,0x56,0x1c,0xd3,0x5b,0x55,0x9b,0x9c,0x5c,0x7b,0xf5,0xd1,0xca,0xe3,0x7d,0x1e,
|
||||
0xff,0x50,0x9d,0xfe,0x7f,0x51,0x11,0x2a,0x69,0xfd,0xd1,0xe0,0xf0,0x78,0x4c,0xe6,
|
||||
0xa8,0x58,0xbb,0xa0,0x9a,0x97,0xb6,0xeb,0x24,0xa1,0xeb,0x81,0xa6,0x85,0xd9,0x93,
|
||||
0xa0,0x71,0xbf,0x45,0xc3,0x05,0x74,0x29,0x34,0x18,0x60,0xe6,0x51,0x30,0x10,0xa4,
|
||||
0xf0,0x14,0xb0,0x0b,0x28,0xfa,0x15,0xf1,0x8c,0x1c,0xd8,0x22,0x5c,0x8c,0x26,0x87,
|
||||
0x83,0x4c,0xc5,0xa5,0x74,0x37,0x84,0xfc,0xbd,0xf9,0xdc,0x4b,0x52,0x07,0x33,0x4a,
|
||||
0xf0,0xfd,0x7b,0x6a,0x84,0xca,0x0e,0xc7,0xcd,0x02,0x81,0xc1,0x00,0xca,0x57,0x16,
|
||||
0xae,0xd4,0x8d,0xdf,0x6d,0x2f,0x5c,0x55,0x4e,0xb1,0xb9,0xa5,0x7f,0x0d,0x9d,0x86,
|
||||
0xa0,0xb5,0xbe,0x20,0xda,0x0d,0x00,0x46,0x98,0x4a,0x3e,0x5b,0xb9,0x6b,0xc7,0xb1,
|
||||
0xd6,0x5e,0xd4,0x52,0xba,0x84,0x4b,0xd8,0x1a,0x1f,0x50,0xc2,0x0c,0xe5,0x2a,0x64,
|
||||
0xf7,0x84,0xcc,0x45,0xcd,0x5a,0xc9,0xca,0x4d,0x5c,0xe0,0x0d,0x0c,0x0f,0x77,0xe0,
|
||||
0x78,0xa7,0x70,0x08,0x75,0xe7,0x3d,0x53,0x9a,0x45,0x63,0x63,0x8d,0xf2,0xac,0xf0,
|
||||
0xc5,0x09,0xae,0x01,0x7c,0x8b,0x0f,0x97,0xc5,0x7b,0x68,0xf7,0x6e,0x30,0x48,0xcd,
|
||||
0x14,0x9d,0x78,0xff,0x87,0x27,0xb7,0xe5,0x34,0x43,0x87,0x89,0xb1,0x3b,0x26,0xc9,
|
||||
0x7b,0x67,0x76,0x7e,0x3e,0x85,0xe0,0x12,0x24,0xba,0xd0,0x35,0x84,0x8b,0xf6,0x87,
|
||||
0x31,0x2e,0xec,0x24,0x8f,0x6e,0xbe,0x84,0x88,0x0c,0x73,0xe6,0x18,0x28,0x3e,0xf1,
|
||||
0xf7,0xbd,0xbe,0x87,0x24,0x3d,0x2b,0xaa,0x6e,0x33,0x7c,0x21,0xfe,0x8d,0x99,0xd6,
|
||||
0x95,0x07,0xc9,0x5b,0xc7,0x74,0x44,0xbc,0xac,0xa0,0x8f,0x4c,0x8f,0xf0,0xba,0xf9,
|
||||
0x3a,0xb9,0x2e,0x69,0xb7,0x3b,0xb7,0x5d,0xd4,0xd2,0x4d,0xb3,0x49,0x02,0x81,0xc1,
|
||||
0x00,0xce,0x0e,0x7d,0x85,0xbc,0x0c,0x06,0x10,0xa0,0xea,0xdd,0x69,0xf7,0xb8,0xdc,
|
||||
0x72,0xcb,0x2a,0x99,0x2e,0xd2,0x43,0xce,0x70,0x0d,0x6a,0x90,0x6e,0x9c,0x65,0x07,
|
||||
0x2b,0x88,0x63,0x3a,0x99,0x15,0x4e,0x57,0x98,0x38,0xb9,0xfd,0x64,0x0f,0x33,0xb6,
|
||||
0xb1,0x83,0xb7,0xc4,0x83,0xf2,0xf9,0x06,0x3e,0x5a,0xed,0xb3,0xf3,0xa8,0x16,0x30,
|
||||
0xe5,0xe5,0x20,0xec,0xf8,0x5a,0xae,0x74,0x0e,0xdb,0xe3,0x82,0x85,0x57,0x8a,0x18,
|
||||
0xd4,0x93,0x50,0x0f,0x7c,0x28,0x6b,0x70,0x91,0x7b,0x14,0x80,0xc6,0x7d,0x73,0xfb,
|
||||
0xa4,0xf7,0x7e,0x90,0x0f,0x3f,0x37,0xdb,0x92,0x92,0x80,0xe2,0x3f,0x0c,0x34,0x3c,
|
||||
0x15,0xf4,0x19,0xac,0x0e,0x68,0x09,0x93,0xe0,0x7d,0xf3,0x9e,0xad,0x01,0x8e,0x30,
|
||||
0x17,0x4a,0xa1,0xa8,0x3d,0xe5,0x20,0x22,0xb4,0x5b,0xef,0xc9,0x1b,0x7a,0x6e,0x2b,
|
||||
0xda,0x2c,0x6e,0x73,0x33,0x19,0xca,0xbf,0x71,0x01,0xc5,0x77,0x83,0xa0,0x90,0xa1,
|
||||
0x68,0xf2,0x96,0xe2,0x00,0x1e,0x9b,0xf0,0x24,0x4e,0xbc,0x23,0xed,0x8e,0x44,0x18,
|
||||
0x05,0xf8,0xde,0x51,0xcc,0xee,0x30,0xbf,0x29,0xc3,0xbd,0xeb,0xe2,0x90,0x3b,0xbc,
|
||||
0x01,0x02,0x81,0xc1,0x00,0x8d,0x61,0xd6,0xee,0xa8,0x84,0xcd,0x86,0x7c,0x5e,0x57,
|
||||
0x19,0x5a,0xa3,0xee,0x98,0xdd,0x89,0xa1,0x85,0x70,0x18,0x7e,0xd9,0xfd,0xd5,0xa0,
|
||||
0x7e,0x4e,0xfa,0x4d,0x9b,0x3d,0x4d,0x56,0xdd,0x04,0x7b,0xf5,0xa6,0x70,0x44,0x92,
|
||||
0xa6,0x86,0x15,0x26,0xd2,0x5d,0xda,0x86,0x9c,0x51,0x45,0x6e,0xcc,0xb3,0xd0,0x66,
|
||||
0x34,0x32,0x5e,0x37,0x9f,0xa2,0xbb,0x4f,0xb4,0xde,0xc2,0x30,0x97,0x39,0xd1,0xa7,
|
||||
0x36,0x17,0x9f,0xff,0xf3,0x32,0x8b,0x56,0xdd,0x47,0x0b,0x37,0xec,0xaf,0x3a,0x61,
|
||||
0x01,0x53,0x5f,0x1f,0xec,0xf5,0x7e,0x19,0x16,0x7b,0x86,0x0d,0x7e,0x81,0xe9,0x44,
|
||||
0x15,0x85,0xce,0x12,0x0f,0x2d,0xd6,0xc7,0x58,0x1c,0x0e,0x36,0xde,0x37,0x2b,0x3f,
|
||||
0x62,0x3c,0xca,0xb9,0x6a,0x79,0x65,0xf4,0x47,0x10,0x93,0x5e,0x64,0x7e,0xac,0x4e,
|
||||
0xec,0xc5,0x4e,0xc2,0x8b,0x44,0xab,0xde,0xe5,0x0d,0xc7,0x30,0xa4,0xc8,0xbd,0x57,
|
||||
0x24,0x13,0x83,0x7c,0x39,0x62,0xf6,0x08,0x73,0x2f,0xf2,0xa9,0xd7,0xaf,0x4d,0x4c,
|
||||
0x4c,0x8f,0x10,0x32,0x1e,0x2d,0xc6,0x67,0xd9,0x79,0x85,0x8d,0xc6,0xc3,0xca,0x37,
|
||||
0x9d,0x3a,0xa9,0xa2,0x49,0x02,0x81,0xc0,0x5f,0xec,0x0d,0xc2,0x43,0x30,0xaf,0xa7,
|
||||
0x5d,0x23,0x36,0xba,0x07,0x1c,0xd4,0xce,0xe3,0x37,0x3c,0xc4,0x3e,0xbf,0x20,0xa8,
|
||||
0x3e,0x8e,0x7f,0xcd,0x6e,0x3e,0x0e,0x97,0xc4,0x53,0x3c,0xc8,0x04,0xc8,0x36,0xce,
|
||||
0xa4,0x7f,0x6d,0xbb,0xb8,0x08,0x0e,0x69,0x6d,0xa0,0x4c,0xea,0x3b,0x9a,0xee,0x3f,
|
||||
0x76,0xee,0xe4,0xc5,0x21,0x00,0xc4,0xd1,0x72,0xbc,0x6d,0xd5,0xa2,0x30,0xb2,0x5e,
|
||||
0x59,0x20,0x02,0x0c,0xad,0xc0,0x82,0xaa,0x44,0x43,0xa2,0xeb,0xc7,0x8b,0x3b,0x97,
|
||||
0x9a,0xb3,0xd5,0x51,0x25,0xd5,0x76,0x4b,0xc7,0x44,0x70,0x7b,0x1e,0x1d,0x07,0x8e,
|
||||
0xa5,0xe1,0x5b,0xcc,0x14,0xbd,0x20,0x4b,0x1b,0x83,0x94,0xa4,0x55,0x57,0x79,0x75,
|
||||
0x3f,0x0e,0xce,0xe5,0x30,0x5a,0x8c,0x2b,0x83,0xeb,0x5c,0xeb,0x32,0x54,0x1c,0x85,
|
||||
0xb9,0xe2,0xf0,0x45,0xee,0x83,0x6c,0x7f,0x10,0x6e,0x6c,0xfc,0x7e,0xef,0x14,0x98,
|
||||
0x8d,0xb5,0x9c,0xa5,0x80,0x84,0x3f,0x2b,0x86,0xf6,0xfa,0xc0,0xe0,0x01,0x0c,0x96,
|
||||
0x47,0x89,0x6c,0x0c,0x4f,0x6c,0xd8,0x56,0x13,0x38,0x90,0x1d,0x7e,0x56,0x8e,0xb2,
|
||||
0xa3,0xe5,0x36,0x32,0x42,0xbf,0xd1,0xe2
|
||||
};
|
||||
|
||||
const size_t RSA3K_PRIVKEY_DER_LEN = sizeof (RSA3K_PRIVKEY_DER);
|
||||
|
||||
#if (RSA_MAX_KEY_LENGTH >= RSA_KEY_LENGTH_4K)
|
||||
const struct rsa_public_key RSA4K_PUBLIC_KEY = {
|
||||
.modulus = {
|
||||
|
|
|
|||
|
|
@ -95,6 +95,23 @@ extern const uint8_t RSA_SIGNATURE3_BAD[];
|
|||
#define RSA_ENCRYPT_LEN (2048 / 8)
|
||||
|
||||
|
||||
#if (RSA_MAX_KEY_LENGTH >= RSA_KEY_LENGTH_3K)
|
||||
extern const struct rsa_public_key RSA3K_PUBLIC_KEY;
|
||||
#endif
|
||||
|
||||
extern const char RSA3K_PUBKEY_PEM[];
|
||||
extern const size_t RSA3K_PUBKEY_PEM_LEN;
|
||||
|
||||
extern const uint8_t RSA3K_PUBKEY_DER[];
|
||||
extern const size_t RSA3K_PUBKEY_DER_LEN;
|
||||
|
||||
extern const char RSA3K_PRIVKEY_PEM[];
|
||||
extern const size_t RSA3K_PRIVKEY_PEM_LEN;
|
||||
|
||||
extern const uint8_t RSA3K_PRIVKEY_DER[];
|
||||
extern const size_t RSA3K_PRIVKEY_DER_LEN;
|
||||
|
||||
|
||||
#if (RSA_MAX_KEY_LENGTH >= RSA_KEY_LENGTH_4K)
|
||||
extern const struct rsa_public_key RSA4K_PUBLIC_KEY;
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@
|
|||
#include <limits.h>
|
||||
#include "cmd_interface/attestation_cmd_interface.h"
|
||||
#include "cmd_interface/cmd_logging.h"
|
||||
#include "cmd_interface/cerberus_protocol_optional_commands.h"
|
||||
#include "flash/flash_common.h"
|
||||
#include "logging/logging_flash.h"
|
||||
#include "cmd_background_task.h"
|
||||
|
|
@ -20,10 +21,6 @@
|
|||
#define CMD_BACKGROUND_DEBUG_LOG_FILL (1U << 4)
|
||||
#define CMD_BACKGROUND_AUTH_RIOT (1U << 5)
|
||||
|
||||
#define CMD_BACKGROUND_PCR_NUM_SHIFT (29)
|
||||
#define CMD_BACKGROUND_PCR_NUM_MASK (7U << CMD_BACKGROUND_PCR_NUM_SHIFT)
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Set the current operation status.
|
||||
|
|
@ -47,7 +44,6 @@ void cmd_background_task_set_status (struct cmd_background_task *task, int *op_s
|
|||
static void cmd_background_task_handler (struct cmd_background_task *task)
|
||||
{
|
||||
uint32_t notification;
|
||||
uint8_t pcr_num;
|
||||
int *op_status;
|
||||
int status;
|
||||
|
||||
|
|
@ -58,26 +54,33 @@ static void cmd_background_task_handler (struct cmd_background_task *task)
|
|||
xTaskNotifyWait (pdFALSE, ULONG_MAX, ¬ification, portMAX_DELAY);
|
||||
|
||||
if (notification & CMD_BACKGROUND_RUN_UNSEAL) {
|
||||
struct cerberus_protocol_message_unseal *unseal =
|
||||
(struct cerberus_protocol_message_unseal*) task->attestation.unseal_request;
|
||||
|
||||
op_status = &task->attestation.attestation_status;
|
||||
pcr_num = (notification & CMD_BACKGROUND_PCR_NUM_MASK) >>
|
||||
CMD_BACKGROUND_PCR_NUM_SHIFT;
|
||||
|
||||
status = task->attestation.attestation->aux_attestation_unseal (
|
||||
task->attestation.attestation, task->attestation.hash, task->attestation.seed,
|
||||
task->attestation.seed_length, task->attestation.hmac,
|
||||
task->attestation.ciphertext, task->attestation.cipher_length,
|
||||
task->attestation.sealing, task->attestation.key_buf,
|
||||
sizeof (task->attestation.key_buf), pcr_num);
|
||||
task->attestation.attestation, task->attestation.hash, AUX_ATTESTATION_KEY_256BIT,
|
||||
&unseal->seed, unseal->seed_length,
|
||||
(enum aux_attestation_seed_type) unseal->seed_type,
|
||||
(enum aux_attestation_seed_padding) unseal->seed_params.rsa.padding,
|
||||
cerberus_protocol_unseal_hmac (unseal), HMAC_SHA256,
|
||||
cerberus_protocol_unseal_ciphertext (unseal),
|
||||
cerberus_protocol_unseal_ciphertext_length (unseal),
|
||||
cerberus_protocol_get_unseal_pmr_sealing (unseal)->pmr, CERBERUS_PROTOCOL_MAX_PMR,
|
||||
task->attestation.key, sizeof (task->attestation.key));
|
||||
if (ROT_IS_ERROR (status)) {
|
||||
debug_log_create_entry (DEBUG_LOG_SEVERITY_ERROR,
|
||||
debug_log_create_entry (DEBUG_LOG_SEVERITY_ERROR,
|
||||
DEBUG_LOG_COMPONENT_CMD_INTERFACE, CMD_LOGGING_UNSEAL_FAIL, status, 0);
|
||||
|
||||
status = CMD_BACKGROUND_STATUS (ATTESTATION_CMD_STATUS_FAILURE, status);
|
||||
}
|
||||
else {
|
||||
task->attestation.key_len = status;
|
||||
status = ATTESTATION_CMD_STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
platform_free (task->attestation.unseal_request);
|
||||
task->attestation.unseal_request = NULL;
|
||||
}
|
||||
else if (notification & CMD_BACKGROUND_RUN_BYPASS) {
|
||||
cmd_background_task_set_status (task, &task->config.config_status,
|
||||
|
|
@ -170,15 +173,13 @@ static void cmd_background_task_handler (struct cmd_background_task *task)
|
|||
} while (1);
|
||||
}
|
||||
|
||||
static int cmd_background_task_unseal_start (struct cmd_background *cmd, const uint8_t *seed,
|
||||
size_t seed_length, const uint8_t *hmac, const uint8_t *ciphertext, size_t cipher_length,
|
||||
const uint8_t *sealing, uint8_t platform_pcr)
|
||||
static int cmd_background_task_unseal_start (struct cmd_background *cmd,
|
||||
const uint8_t *unseal_request, size_t length)
|
||||
{
|
||||
struct cmd_background_task *task = (struct cmd_background_task*) cmd;
|
||||
int status = 0;
|
||||
|
||||
if ((task == NULL) || (seed == NULL) || (hmac == NULL) || (ciphertext == NULL) ||
|
||||
(sealing == NULL)) {
|
||||
if ((task == NULL) || (unseal_request == NULL) || (length == 0)) {
|
||||
return CMD_BACKGROUND_INVALID_ARGUMENT;
|
||||
}
|
||||
|
||||
|
|
@ -186,39 +187,41 @@ static int cmd_background_task_unseal_start (struct cmd_background *cmd, const u
|
|||
return CMD_BACKGROUND_UNSUPPORTED_REQUEST;
|
||||
}
|
||||
|
||||
if ((seed_length > sizeof (task->attestation.seed)) ||
|
||||
(cipher_length > sizeof (task->attestation.ciphertext))) {
|
||||
return CMD_BACKGROUND_INPUT_TOO_BIG;
|
||||
}
|
||||
|
||||
if (task->task) {
|
||||
xSemaphoreTake (task->lock, portMAX_DELAY);
|
||||
if (!task->running) {
|
||||
task->attestation.attestation_status = ATTESTATION_CMD_STATUS_RUNNING;
|
||||
task->running = 1;
|
||||
if (task->attestation.unseal_request != NULL) {
|
||||
platform_free (task->attestation.unseal_request);
|
||||
}
|
||||
|
||||
memcpy (task->attestation.seed, seed, seed_length);
|
||||
memcpy (task->attestation.hmac, hmac, sizeof (task->attestation.hmac));
|
||||
memcpy (task->attestation.ciphertext, ciphertext, cipher_length);
|
||||
memcpy (task->attestation.sealing, sealing, sizeof (task->attestation.sealing));
|
||||
task->attestation.unseal_request = platform_malloc (length);
|
||||
if (task->attestation.unseal_request != NULL) {
|
||||
task->attestation.attestation_status = ATTESTATION_CMD_STATUS_RUNNING;
|
||||
task->running = 1;
|
||||
|
||||
task->attestation.seed_length = seed_length;
|
||||
task->attestation.cipher_length = cipher_length;
|
||||
memcpy (task->attestation.unseal_request, unseal_request, length);
|
||||
|
||||
xSemaphoreGive (task->lock);
|
||||
xTaskNotify (task->task,
|
||||
(CMD_BACKGROUND_RUN_UNSEAL | (platform_pcr << CMD_BACKGROUND_PCR_NUM_SHIFT)),
|
||||
eSetBits);
|
||||
xSemaphoreGive (task->lock);
|
||||
xTaskNotify (task->task, CMD_BACKGROUND_RUN_UNSEAL, eSetBits);
|
||||
}
|
||||
else {
|
||||
status = CMD_BACKGROUND_NO_MEMORY;
|
||||
task->attestation.attestation_status =
|
||||
CMD_BACKGROUND_STATUS (ATTESTATION_CMD_STATUS_FAILURE, status);
|
||||
xSemaphoreGive (task->lock);
|
||||
}
|
||||
}
|
||||
else {
|
||||
task->attestation.attestation_status = ATTESTATION_CMD_STATUS_REQUEST_BLOCKED;
|
||||
status = CMD_BACKGROUND_TASK_BUSY;
|
||||
task->attestation.attestation_status =
|
||||
CMD_BACKGROUND_STATUS (ATTESTATION_CMD_STATUS_REQUEST_BLOCKED, status);
|
||||
xSemaphoreGive (task->lock);
|
||||
}
|
||||
}
|
||||
else {
|
||||
task->attestation.attestation_status = ATTESTATION_CMD_STATUS_TASK_NOT_RUNNING;
|
||||
status = CMD_BACKGROUND_NO_TASK;
|
||||
task->attestation.attestation_status =
|
||||
CMD_BACKGROUND_STATUS (ATTESTATION_CMD_STATUS_TASK_NOT_RUNNING, status);
|
||||
}
|
||||
|
||||
return status;
|
||||
|
|
@ -242,15 +245,19 @@ static int cmd_background_task_unseal_result (struct cmd_background *cmd, uint8_
|
|||
*unseal_status = task->attestation.attestation_status;
|
||||
|
||||
if (task->attestation.attestation_status == ATTESTATION_CMD_STATUS_SUCCESS) {
|
||||
if (*key_length < task->attestation.key_len) {
|
||||
if (*key_length < sizeof (task->attestation.key)) {
|
||||
xSemaphoreGive (task->lock);
|
||||
return CMD_BACKGROUND_BUF_TOO_SMALL;
|
||||
}
|
||||
else {
|
||||
memcpy (key, task->attestation.key_buf, task->attestation.key_len);
|
||||
*key_length = task->attestation.key_len;
|
||||
memcpy (key, task->attestation.key, sizeof (task->attestation.key));
|
||||
*key_length = sizeof (task->attestation.key);
|
||||
task->attestation.attestation_status = ATTESTATION_CMD_STATUS_NONE_STARTED;
|
||||
}
|
||||
}
|
||||
else {
|
||||
*key_length = 0;
|
||||
}
|
||||
|
||||
xSemaphoreGive (task->lock);
|
||||
|
||||
|
|
@ -279,14 +286,16 @@ static int cmd_background_task_reset_bypass (struct cmd_background *cmd)
|
|||
xTaskNotify (task->task, CMD_BACKGROUND_RUN_BYPASS, eSetBits);
|
||||
}
|
||||
else {
|
||||
task->config.config_status = CONFIG_RESET_STATUS_REQUEST_BLOCKED;
|
||||
status = CMD_BACKGROUND_TASK_BUSY;
|
||||
task->config.config_status =
|
||||
CMD_BACKGROUND_STATUS (CONFIG_RESET_STATUS_REQUEST_BLOCKED, status);
|
||||
xSemaphoreGive (task->lock);
|
||||
}
|
||||
}
|
||||
else {
|
||||
task->config.config_status = CONFIG_RESET_STATUS_TASK_NOT_RUNNING;
|
||||
status = CMD_BACKGROUND_NO_TASK;
|
||||
task->config.config_status =
|
||||
CMD_BACKGROUND_STATUS (CONFIG_RESET_STATUS_TASK_NOT_RUNNING, status);
|
||||
}
|
||||
|
||||
return status;
|
||||
|
|
@ -314,14 +323,16 @@ static int cmd_background_task_restore_defaults (struct cmd_background *cmd)
|
|||
xTaskNotify (task->task, CMD_BACKGROUND_RUN_DEFAULTS, eSetBits);
|
||||
}
|
||||
else {
|
||||
task->config.config_status = CONFIG_RESET_STATUS_REQUEST_BLOCKED;
|
||||
status = CMD_BACKGROUND_TASK_BUSY;
|
||||
task->config.config_status =
|
||||
CMD_BACKGROUND_STATUS (CONFIG_RESET_STATUS_REQUEST_BLOCKED, status);
|
||||
xSemaphoreGive (task->lock);
|
||||
}
|
||||
}
|
||||
else {
|
||||
task->config.config_status = CONFIG_RESET_STATUS_TASK_NOT_RUNNING;
|
||||
status = CMD_BACKGROUND_NO_TASK;
|
||||
task->config.config_status =
|
||||
CMD_BACKGROUND_STATUS (CONFIG_RESET_STATUS_TASK_NOT_RUNNING, status);
|
||||
}
|
||||
|
||||
return status;
|
||||
|
|
@ -412,8 +423,8 @@ int cmd_background_task_authenticate_riot_certs (struct cmd_background *cmd)
|
|||
}
|
||||
else {
|
||||
status = CMD_BACKGROUND_TASK_BUSY;
|
||||
task->config.config_status = CMD_BACKGROUND_STATUS (RIOT_CERT_STATE_CHAIN_INVALID,
|
||||
status);
|
||||
task->config.config_status =
|
||||
CMD_BACKGROUND_STATUS (RIOT_CERT_STATE_CHAIN_INVALID, status);
|
||||
xSemaphoreGive (task->lock);
|
||||
}
|
||||
}
|
||||
|
|
@ -452,8 +463,8 @@ int cmd_background_task_get_riot_cert_chain_state (struct cmd_background *cmd)
|
|||
*
|
||||
* @return 0 if the task was successfully initialized or an error code.
|
||||
*/
|
||||
int cmd_background_task_init (struct cmd_background_task *task,
|
||||
struct attestation_slave *attestation, struct hash_engine *hash, struct config_reset *reset,
|
||||
int cmd_background_task_init (struct cmd_background_task *task,
|
||||
struct attestation_slave *attestation, struct hash_engine *hash, struct config_reset *reset,
|
||||
struct riot_key_manager *riot)
|
||||
{
|
||||
if (task == NULL) {
|
||||
|
|
|
|||
|
|
@ -20,14 +20,8 @@ struct cmd_background_attestation {
|
|||
struct attestation_slave *attestation; /**< Attestation manager to utilize for attestation operations. */
|
||||
struct hash_engine *hash; /**< Hash engine to be used in attestation operations. */
|
||||
int attestation_status; /**< The attestation operation status. */
|
||||
uint8_t seed[512]; /**< The request seed encrypted with the attestation public key. */
|
||||
size_t seed_length; /**< The length of the request seed. */
|
||||
uint8_t hmac[SHA256_HASH_LENGTH]; /**< The HMAC for the attestation request. This is an HMAC-SHA256 value. */
|
||||
uint8_t ciphertext[255]; /**< The encrypted attestation data. */
|
||||
size_t cipher_length; /**< Length of the encrypted data. */
|
||||
uint8_t sealing[64]; /**< A 64-byte sealing value for the attestation data. */
|
||||
uint8_t key_buf[255]; /**< Buffer to hold unsealed encryption key. */
|
||||
size_t key_len; /**< Unsealed encryption key length. */
|
||||
uint8_t *unseal_request; /**< The current unseal request. */
|
||||
uint8_t key[AUX_ATTESTATION_KEY_256BIT]; /**< Buffer for the unsealed key. */
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
@ -60,8 +54,8 @@ struct cmd_background_task {
|
|||
};
|
||||
|
||||
|
||||
int cmd_background_task_init (struct cmd_background_task *task,
|
||||
struct attestation_slave *attestation, struct hash_engine *hash, struct config_reset *reset,
|
||||
int cmd_background_task_init (struct cmd_background_task *task,
|
||||
struct attestation_slave *attestation, struct hash_engine *hash, struct config_reset *reset,
|
||||
struct riot_key_manager *riot);
|
||||
int cmd_background_task_start (struct cmd_background_task *task);
|
||||
|
||||
|
|
|
|||
|
|
@ -261,12 +261,12 @@ int mock_validate (struct mock *mock);
|
|||
* Error codes that can be generated by a mock object.
|
||||
*/
|
||||
enum {
|
||||
MOCK_INVALID_ARGUMENT = MOCK_ERROR (0), /**< Input parameter is null or not valid. */
|
||||
MOCK_NO_MEMORY = MOCK_ERROR (1), /**< Memory allocation failed. */
|
||||
MOCK_NO_EXPECTATION = MOCK_ERROR (2), /**< No expectation to modify. */
|
||||
MOCK_BAD_ARG_INDEX = MOCK_ERROR (3), /**< Argument index is not valid for the call. */
|
||||
MOCK_SAVE_ARG_EXISTS = MOCK_ERROR (4), /**< A saved argument already exists for an ID. */
|
||||
MOCK_NO_SAVE_ARG = MOCK_ERROR (5), /**< No saved argument for an ID. */
|
||||
MOCK_INVALID_ARGUMENT = MOCK_ERROR (0x00), /**< Input parameter is null or not valid. */
|
||||
MOCK_NO_MEMORY = MOCK_ERROR (0x01), /**< Memory allocation failed. */
|
||||
MOCK_NO_EXPECTATION = MOCK_ERROR (0x02), /**< No expectation to modify. */
|
||||
MOCK_BAD_ARG_INDEX = MOCK_ERROR (0x03), /**< Argument index is not valid for the call. */
|
||||
MOCK_SAVE_ARG_EXISTS = MOCK_ERROR (0x04), /**< A saved argument already exists for an ID. */
|
||||
MOCK_NO_SAVE_ARG = MOCK_ERROR (0x05), /**< No saved argument for an ID. */
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче