Software APIs
cert_unittest.cc
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/silicon_creator/lib/cert/cert.h"
6 
7 #include "gtest/gtest.h"
8 #include "sw/device/lib/base/hardened.h"
9 #include "sw/device/silicon_creator/lib/error.h"
10 #include "sw/device/silicon_creator/testing/rom_test.h"
11 
12 #include "flash_ctrl_regs.h"
13 #include "hw/top_earlgrey/sw/autogen/top_earlgrey.h"
14 
15 namespace cert_unittest {
16 namespace {
17 using ::testing::_;
18 using ::testing::Return;
19 using ::testing::SetArgPointee;
20 
21 class CertTest : public rom_test::RomTest {
22  protected:
23  uint8_t expected_sn_bytes_[kCertX509Asn1SerialNumberSizeInBytes] = {
24  0x01, 0xB4, 0x17, 0x80, 0x5F, 0x8B, 0x74, 0xAD, 0xEC, 0xE7,
25  0xE9, 0xAC, 0x37, 0xCA, 0xBD, 0x33, 0x4C, 0xAA, 0xEB, 0x3D,
26  };
27  // CDI 0 hexdump from provisioning e2e FPGA test.
28  // $ bazel test --test_output=streamed --cache_test_results=no \
29  // //sw/host/provisioning/orchestrator/tests:e2e_emulation_cw340_test
30  uint8_t valid_dice_cert_bytes_[2048] = {
31  0x30, 0x82, 0x02, 0x3d, 0x30, 0x82, 0x01, 0xe3, 0xa0, 0x03, 0x02, 0x01,
32  0x02, 0x02, 0x15, 0x00, 0x81, 0xb4, 0x17, 0x80, 0x5f, 0x8b, 0x74, 0xad,
33  0xec, 0xe7, 0xe9, 0xac, 0x37, 0xca, 0xbd, 0x33, 0x4c, 0xaa, 0xeb, 0x3d,
34  0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
35  0x30, 0x33, 0x31, 0x31, 0x30, 0x2f, 0x06, 0x03, 0x55, 0x04, 0x05, 0x13,
36  0x28, 0x38, 0x66, 0x61, 0x31, 0x34, 0x33, 0x36, 0x35, 0x62, 0x62, 0x32,
37  0x65, 0x30, 0x36, 0x62, 0x38, 0x38, 0x39, 0x35, 0x38, 0x66, 0x32, 0x65,
38  0x61, 0x38, 0x36, 0x65, 0x66, 0x65, 0x64, 0x34, 0x30, 0x65, 0x32, 0x34,
39  0x32, 0x64, 0x63, 0x33, 0x62, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, 0x31,
40  0x38, 0x30, 0x33, 0x32, 0x32, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a,
41  0x18, 0x0f, 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33,
42  0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x33, 0x31, 0x31, 0x30, 0x2f, 0x06,
43  0x03, 0x55, 0x04, 0x05, 0x13, 0x28, 0x38, 0x31, 0x62, 0x34, 0x31, 0x37,
44  0x38, 0x30, 0x35, 0x66, 0x38, 0x62, 0x37, 0x34, 0x61, 0x64, 0x65, 0x63,
45  0x65, 0x37, 0x65, 0x39, 0x61, 0x63, 0x33, 0x37, 0x63, 0x61, 0x62, 0x64,
46  0x33, 0x33, 0x34, 0x63, 0x61, 0x61, 0x65, 0x62, 0x33, 0x64, 0x30, 0x59,
47  0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06,
48  0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
49  0x04, 0x7e, 0x6b, 0x24, 0x43, 0x1b, 0x04, 0x1d, 0x98, 0xdb, 0xb8, 0xa0,
50  0x53, 0x91, 0x6a, 0xbf, 0xaa, 0xe1, 0x62, 0x33, 0xf9, 0x6e, 0xee, 0x0c,
51  0x75, 0x8f, 0x0b, 0x55, 0x98, 0xd6, 0x4f, 0x3f, 0x6e, 0x88, 0xfd, 0xdf,
52  0xe7, 0x98, 0x81, 0x03, 0x91, 0x04, 0xd5, 0xa9, 0x09, 0xaf, 0xeb, 0x75,
53  0x2a, 0x0c, 0x19, 0x7c, 0x50, 0x02, 0x17, 0xd7, 0x59, 0xf8, 0xfa, 0xcb,
54  0x2d, 0xa8, 0x77, 0xe8, 0x33, 0xa3, 0x81, 0xcf, 0x30, 0x81, 0xcc, 0x30,
55  0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
56  0x03, 0x01, 0x01, 0xff, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
57  0x01, 0xff, 0x04, 0x05, 0x03, 0x03, 0x07, 0x04, 0x00, 0x30, 0x22, 0x06,
58  0x03, 0x55, 0x1d, 0x23, 0x01, 0x01, 0x00, 0x04, 0x18, 0x30, 0x16, 0x80,
59  0x14, 0x8f, 0xa1, 0x43, 0x65, 0xbb, 0x2e, 0x06, 0xb8, 0x89, 0x58, 0xf2,
60  0xea, 0x86, 0xef, 0xed, 0x40, 0xe2, 0x42, 0xdc, 0x3b, 0x30, 0x20, 0x06,
61  0x03, 0x55, 0x1d, 0x0e, 0x01, 0x01, 0x00, 0x04, 0x16, 0x04, 0x14, 0x81,
62  0xb4, 0x17, 0x80, 0x5f, 0x8b, 0x74, 0xad, 0xec, 0xe7, 0xe9, 0xac, 0x37,
63  0xca, 0xbd, 0x33, 0x4c, 0xaa, 0xeb, 0x3d, 0x30, 0x62, 0x06, 0x06, 0x67,
64  0x81, 0x05, 0x05, 0x04, 0x01, 0x01, 0x01, 0xff, 0x04, 0x55, 0x30, 0x53,
65  0x80, 0x09, 0x4f, 0x70, 0x65, 0x6e, 0x54, 0x69, 0x74, 0x61, 0x6e, 0x81,
66  0x07, 0x52, 0x4f, 0x4d, 0x5f, 0x45, 0x58, 0x54, 0x83, 0x05, 0x00, 0x80,
67  0x00, 0x00, 0x00, 0x84, 0x01, 0x01, 0xa6, 0x2f, 0x30, 0x2d, 0x06, 0x09,
68  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x04, 0x20, 0x00,
69  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
70  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
71  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x02, 0x04, 0x00, 0x30,
72  0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03,
73  0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x14, 0x95, 0x17, 0xb9, 0xc0, 0xa8,
74  0x24, 0x9d, 0x26, 0x4a, 0x71, 0xb9, 0xed, 0x4a, 0x87, 0x99, 0x25, 0x72,
75  0xc6, 0x31, 0xf8, 0xce, 0x3e, 0x6b, 0x98, 0x15, 0xec, 0xd7, 0xca, 0x65,
76  0xb9, 0x1d, 0x02, 0x21, 0x00, 0x91, 0x10, 0xcd, 0xdf, 0xe3, 0xa8, 0x46,
77  0xc2, 0xaf, 0x1c, 0x30, 0xc5, 0x4c, 0x99, 0x6d, 0xae, 0xb8, 0xc8, 0x19,
78  0x15, 0x10, 0x3f, 0xe0, 0x64, 0xf0, 0x72, 0x7d, 0x33, 0x93, 0x51, 0x0f,
79  0x5d,
80  };
81  uint32_t expected_cert_size_ =
82  ((valid_dice_cert_bytes_[2] << 8) | (valid_dice_cert_bytes_[3])) + 4;
83 };
84 
85 TEST_F(CertTest, DecodeSize) {
86  EXPECT_EQ(cert_x509_asn1_decode_size_header(valid_dice_cert_bytes_),
87  expected_cert_size_);
88 }
89 
90 /**
91  * Here we test if a flash page has been erased (i.e., is all 1s) but the page
92  * has never been provisioned with a certificate.
93  */
94 TEST_F(CertTest, UnprovisionedCert) {
95  hardened_bool_t matches = kHardenedBoolFalse;
96  uint8_t unprovisioned_cert_bytes[1024];
97  memset(unprovisioned_cert_bytes, 0xFF, sizeof(unprovisioned_cert_bytes));
98  EXPECT_EQ(
99  cert_x509_asn1_check_serial_number((uint8_t *)&unprovisioned_cert_bytes,
100  sizeof(unprovisioned_cert_bytes),
101  &expected_sn_bytes_, &matches),
102  kErrorOk);
103  EXPECT_EQ(matches, kHardenedBoolFalse);
104 }
105 
106 TEST_F(CertTest, BadSerialNumberTag) {
107  hardened_bool_t matches = kHardenedBoolFalse;
108  uint8_t backup =
109  valid_dice_cert_bytes_[kCertX509Asn1SerialNumberTagByteOffset];
110  valid_dice_cert_bytes_[kCertX509Asn1SerialNumberTagByteOffset] = 0;
111  EXPECT_EQ(cert_x509_asn1_check_serial_number(valid_dice_cert_bytes_,
112  sizeof(valid_dice_cert_bytes_),
113  &expected_sn_bytes_, &matches),
114  kErrorOk);
115  EXPECT_EQ(matches, kHardenedBoolFalse);
116  valid_dice_cert_bytes_[kCertX509Asn1SerialNumberTagByteOffset] = backup;
117 }
118 
119 TEST_F(CertTest, BadSerialNumberLength) {
120  hardened_bool_t matches = kHardenedBoolFalse;
121  uint8_t backup =
122  valid_dice_cert_bytes_[kCertX509Asn1SerialNumberLengthByteOffset];
123  valid_dice_cert_bytes_[kCertX509Asn1SerialNumberLengthByteOffset] = 22;
124  EXPECT_EQ(cert_x509_asn1_check_serial_number(valid_dice_cert_bytes_,
125  sizeof(valid_dice_cert_bytes_),
126  &expected_sn_bytes_, &matches),
127  kErrorOk);
128  EXPECT_EQ(matches, kHardenedBoolFalse);
129  valid_dice_cert_bytes_[kCertX509Asn1SerialNumberLengthByteOffset] = backup;
130 }
131 
132 TEST_F(CertTest, CertOutdated) {
133  hardened_bool_t matches = kHardenedBoolFalse;
134  uint8_t empty_sn[kCertX509Asn1SerialNumberSizeInBytes] = {0};
135  EXPECT_EQ(cert_x509_asn1_check_serial_number(valid_dice_cert_bytes_,
136  sizeof(valid_dice_cert_bytes_),
137  &empty_sn, &matches),
138  kErrorOk);
139  EXPECT_EQ(matches, kHardenedBoolFalse);
140 }
141 
142 TEST_F(CertTest, CertOutdatedSerialNumberSizeMismatch) {
143  hardened_bool_t matches = kHardenedBoolFalse;
144  uint8_t old_length =
145  valid_dice_cert_bytes_[kCertX509Asn1SerialNumberLengthByteOffset];
146  valid_dice_cert_bytes_[kCertX509Asn1SerialNumberLengthByteOffset] = 19;
147  EXPECT_EQ(cert_x509_asn1_check_serial_number(valid_dice_cert_bytes_,
148  sizeof(valid_dice_cert_bytes_),
149  &expected_sn_bytes_, &matches),
150  kErrorOk);
151  EXPECT_EQ(matches, kHardenedBoolFalse);
152  valid_dice_cert_bytes_[kCertX509Asn1SerialNumberLengthByteOffset] =
153  old_length;
154 }
155 
156 TEST_F(CertTest, CertValidFullSerialNumber) {
157  hardened_bool_t matches = kHardenedBoolFalse;
158 
159  // Full length serial number.
160  matches = kHardenedBoolFalse;
161  EXPECT_EQ(cert_x509_asn1_check_serial_number(valid_dice_cert_bytes_,
162  sizeof(valid_dice_cert_bytes_),
163  &expected_sn_bytes_, &matches),
164  kErrorOk);
165  EXPECT_EQ(matches, kHardenedBoolTrue);
166 }
167 
168 } // namespace
169 } // namespace cert_unittest
Return to OpenTitan Documentation