From 75e90281455dd3e83778a208a1d0b5bb7c3d6dca Mon Sep 17 00:00:00 2001 From: Arthur Heymans Date: Thu, 21 Nov 2024 16:20:24 +0100 Subject: [PATCH] Add idevid CSR with MLDSA87 This increase in struct size requires the stack to be reduced. --- drivers/src/lib.rs | 6 +- drivers/src/memory_layout.rs | 30 ++- drivers/src/persistent.rs | 128 +++++++---- fmc/src/flow/rt_alias.rs | 10 +- rom/dev/src/crypto.rs | 36 +++ rom/dev/src/flow/cold_reset/fmc_alias.rs | 6 +- rom/dev/src/flow/cold_reset/fw_processor.rs | 2 +- rom/dev/src/flow/cold_reset/idev_id.rs | 129 ++++++++--- rom/dev/src/flow/cold_reset/ldev_id.rs | 4 +- rom/dev/tools/test-fmc/src/main.rs | 22 +- runtime/src/get_idev_csr.rs | 6 +- .../test_get_idev_csr.rs | 7 +- x509/build/build.rs | 24 +- ...t_tbs.rs => fmc_alias_cert_tbs_ecc_384.rs} | 12 +- x509/build/fmc_alias_cert_tbs_mldsa_87.rs | 210 ++++++++++++++++++ ..._tbs.rs => init_dev_id_csr_tbs_ecc_384.rs} | 12 +- x509/build/init_dev_id_csr_tbs_mldsa_87.rs | 94 ++++++++ ...bs.rs => local_dev_id_cert_tbs_ecc_384.rs} | 12 +- x509/build/local_dev_id_cert_tbs_mldsa_87.rs | 156 +++++++++++++ ...rt_tbs.rs => rt_alias_cert_tbs_ecc_384.rs} | 12 +- x509/build/rt_alias_cert_tbs_mldsa_87.rs | 182 +++++++++++++++ x509/src/cert_bldr.rs | 13 +- ...lias_cert.rs => fmc_alias_cert_ecc_384.rs} | 88 ++++---- x509/src/fmc_alias_cert_mldsa_87.rs | 15 ++ .../{idevid_csr.rs => idevid_csr_ecc_384.rs} | 36 +-- x509/src/idevid_csr_mldsa_87.rs | 15 ++ ...{ldevid_cert.rs => ldevid_cert_ecc_384.rs} | 59 ++--- x509/src/ldevid_cert_mldsa_87.rs | 15 ++ x509/src/lib.rs | 21 +- ...alias_cert.rs => rt_alias_cert_ecc_384.rs} | 82 +++---- x509/src/rt_alias_cert_mldsa_87.rs | 15 ++ 31 files changed, 1178 insertions(+), 281 deletions(-) rename x509/build/{fmc_alias_cert_tbs.rs => fmc_alias_cert_tbs_ecc_384.rs} (97%) create mode 100644 x509/build/fmc_alias_cert_tbs_mldsa_87.rs rename x509/build/{init_dev_id_csr_tbs.rs => init_dev_id_csr_tbs_ecc_384.rs} (93%) create mode 100644 x509/build/init_dev_id_csr_tbs_mldsa_87.rs rename x509/build/{local_dev_id_cert_tbs.rs => local_dev_id_cert_tbs_ecc_384.rs} (96%) create mode 100644 x509/build/local_dev_id_cert_tbs_mldsa_87.rs rename x509/build/{rt_alias_cert_tbs.rs => rt_alias_cert_tbs_ecc_384.rs} (96%) create mode 100644 x509/build/rt_alias_cert_tbs_mldsa_87.rs rename x509/src/{fmc_alias_cert.rs => fmc_alias_cert_ecc_384.rs} (66%) create mode 100644 x509/src/fmc_alias_cert_mldsa_87.rs rename x509/src/{idevid_csr.rs => idevid_csr_ecc_384.rs} (81%) create mode 100644 x509/src/idevid_csr_mldsa_87.rs rename x509/src/{ldevid_cert.rs => ldevid_cert_ecc_384.rs} (72%) create mode 100644 x509/src/ldevid_cert_mldsa_87.rs rename x509/src/{rt_alias_cert.rs => rt_alias_cert_ecc_384.rs} (51%) create mode 100644 x509/src/rt_alias_cert_mldsa_87.rs diff --git a/drivers/src/lib.rs b/drivers/src/lib.rs index f83ca623ab..790ee4e1a7 100644 --- a/drivers/src/lib.rs +++ b/drivers/src/lib.rs @@ -95,9 +95,9 @@ pub use pcr_reset::PcrResetCounter; #[cfg(feature = "runtime")] pub use persistent::AuthManifestImageMetadataList; pub use persistent::{ - FuseLogArray, IdevIdCsr, PcrLogArray, PersistentData, PersistentDataAccessor, - StashMeasurementArray, FUSE_LOG_MAX_COUNT, MAX_CSR_SIZE, MEASUREMENT_MAX_COUNT, - PCR_LOG_MAX_COUNT, + Ecc384IdevIdCsr, FuseLogArray, Mldsa87IdevIdCsr, PcrLogArray, PersistentData, + PersistentDataAccessor, StashMeasurementArray, ECC384_MAX_CSR_SIZE, FUSE_LOG_MAX_COUNT, + MEASUREMENT_MAX_COUNT, MLDSA87_MAX_CSR_SIZE, PCR_LOG_MAX_COUNT, }; pub use pic::{IntSource, Pic}; pub use sha1::{Sha1, Sha1Digest, Sha1DigestOp}; diff --git a/drivers/src/memory_layout.rs b/drivers/src/memory_layout.rs index 28c2cb0e6c..969c8dcbef 100644 --- a/drivers/src/memory_layout.rs +++ b/drivers/src/memory_layout.rs @@ -44,8 +44,10 @@ pub const FUSE_LOG_ORG: u32 = MEASUREMENT_LOG_ORG + MEASUREMENT_LOG_SIZE; pub const DPE_ORG: u32 = FUSE_LOG_ORG + FUSE_LOG_SIZE; pub const PCR_RESET_COUNTER_ORG: u32 = DPE_ORG + DPE_SIZE; pub const AUTH_MAN_IMAGE_METADATA_LIST_ORG: u32 = PCR_RESET_COUNTER_ORG + PCR_RESET_COUNTER_SIZE; -pub const IDEVID_CSR_ORG: u32 = AUTH_MAN_IMAGE_METADATA_LIST_ORG + AUTH_MAN_IMAGE_METADATA_MAX_SIZE; -pub const DATA_ORG: u32 = IDEVID_CSR_ORG + IDEVID_CSR_SIZE; +pub const ECC384_IDEVID_CSR_ORG: u32 = + AUTH_MAN_IMAGE_METADATA_LIST_ORG + AUTH_MAN_IMAGE_METADATA_MAX_SIZE; +pub const MLDSA87_IDEVID_CSR_ORG: u32 = ECC384_IDEVID_CSR_ORG + ECC384_IDEVID_CSR_SIZE; +pub const DATA_ORG: u32 = MLDSA87_IDEVID_CSR_ORG + MLDSA87_IDEVID_CSR_SIZE; pub const STACK_ORG: u32 = DATA_ORG + DATA_SIZE; pub const ROM_STACK_ORG: u32 = STACK_ORG + (STACK_SIZE - ROM_STACK_SIZE); @@ -56,6 +58,8 @@ pub const ROM_ESTACK_ORG: u32 = ESTACK_ORG; pub const NSTACK_ORG: u32 = ROM_ESTACK_ORG + ROM_ESTACK_SIZE; pub const ROM_NSTACK_ORG: u32 = NSTACK_ORG; +pub const LAST_REGION_END: u32 = NSTACK_ORG + NSTACK_SIZE; + // // Memory Sizes In Bytes // @@ -78,9 +82,10 @@ pub const FUSE_LOG_SIZE: u32 = 1024; pub const DPE_SIZE: u32 = 5 * 1024; pub const PCR_RESET_COUNTER_SIZE: u32 = 1024; pub const AUTH_MAN_IMAGE_METADATA_MAX_SIZE: u32 = 7 * 1024; -pub const IDEVID_CSR_SIZE: u32 = 1024; +pub const ECC384_IDEVID_CSR_SIZE: u32 = 1024; +pub const MLDSA87_IDEVID_CSR_SIZE: u32 = 8 * 1024; pub const DATA_SIZE: u32 = 20 * 1024; -pub const STACK_SIZE: u32 = 64 * 1024; +pub const STACK_SIZE: u32 = 56 * 1024; pub const ROM_STACK_SIZE: u32 = 14 * 1024; pub const ESTACK_SIZE: u32 = 1024; pub const ROM_ESTACK_SIZE: u32 = 1024; @@ -173,7 +178,16 @@ fn mem_layout_test_pcr_reset_counter() { #[test] #[allow(clippy::assertions_on_constants)] fn mem_layout_test_idevid_csr() { - assert_eq!((DATA_ORG - IDEVID_CSR_ORG), IDEVID_CSR_SIZE); + assert_eq!( + (MLDSA87_IDEVID_CSR_ORG - ECC384_IDEVID_CSR_ORG), + ECC384_IDEVID_CSR_SIZE + ); +} + +#[test] +#[allow(clippy::assertions_on_constants)] +fn mem_layout_test_mldsa87_idevid_csr() { + assert_eq!((DATA_ORG - MLDSA87_IDEVID_CSR_ORG), MLDSA87_IDEVID_CSR_SIZE); } #[test] @@ -193,3 +207,9 @@ fn mem_layout_test_stack() { fn mem_layout_test_estack() { assert_eq!((NSTACK_ORG - ESTACK_ORG), ESTACK_SIZE); } + +#[test] +#[allow(clippy::assertions_on_constants)] +fn dccm_overflow() { + assert!(DCCM_ORG + DCCM_SIZE >= LAST_REGION_END); +} diff --git a/drivers/src/persistent.rs b/drivers/src/persistent.rs index 5824b56154..61faf9e1ba 100644 --- a/drivers/src/persistent.rs +++ b/drivers/src/persistent.rs @@ -24,7 +24,8 @@ use crate::{ #[cfg(feature = "runtime")] use crate::pcr_reset::PcrResetCounter; -pub const MAX_CSR_SIZE: usize = 512; +pub const ECC384_MAX_CSR_SIZE: usize = 512; +pub const MLDSA87_MAX_CSR_SIZE: usize = 7680; pub const PCR_LOG_MAX_COUNT: usize = 17; pub const FUSE_LOG_MAX_COUNT: usize = 62; pub const MEASUREMENT_MAX_COUNT: usize = 8; @@ -47,62 +48,86 @@ pub type AuthManifestImageMetadataList = #[derive(Clone, FromBytes, AsBytes, Zeroize)] #[repr(C)] -pub struct IdevIdCsr { +pub struct Ecc384IdevIdCsr { csr_len: u32, - csr: [u8; MAX_CSR_SIZE], + csr: [u8; ECC384_MAX_CSR_SIZE], } -impl Default for IdevIdCsr { +#[derive(Clone, FromBytes, AsBytes, Zeroize)] +#[repr(C)] +pub struct Mldsa87IdevIdCsr { + csr_len: u32, + csr: [u8; MLDSA87_MAX_CSR_SIZE], +} + +impl Default for Ecc384IdevIdCsr { fn default() -> Self { Self { csr_len: Self::UNPROVISIONED_CSR, - csr: [0; MAX_CSR_SIZE], + csr: [0; ECC384_MAX_CSR_SIZE], } } } -impl IdevIdCsr { - /// The `csr_len` field is set to this constant when a ROM image supports CSR generation but - /// the CSR generation flag was not enabled. - /// - /// This is used by the runtime to distinguish ROM images that support CSR generation from - /// ones that do not. - /// - /// u32::MAX is too large to be a valid CSR, so we use it to encode this state. - pub const UNPROVISIONED_CSR: u32 = u32::MAX; - - /// Get the CSR buffer - pub fn get(&self) -> Option<&[u8]> { - self.csr.get(..self.csr_len as usize) - } - - /// Create `Self` from a csr slice. `csr_len` MUST be the actual length of the csr. - pub fn new(csr_buf: &[u8], csr_len: usize) -> CaliptraResult { - if csr_len >= MAX_CSR_SIZE { - return Err(CaliptraError::ROM_IDEVID_INVALID_CSR); +impl Default for Mldsa87IdevIdCsr { + fn default() -> Self { + Self { + csr_len: Self::UNPROVISIONED_CSR, + csr: [0; MLDSA87_MAX_CSR_SIZE], } - - let mut _self = Self { - csr_len: csr_len as u32, - csr: [0; MAX_CSR_SIZE], - }; - _self.csr[..csr_len].copy_from_slice(&csr_buf[..csr_len]); - - Ok(_self) - } - - /// Get the length of the CSR in bytes. - pub fn get_csr_len(&self) -> u32 { - self.csr_len } +} - /// Check if the CSR was unprovisioned - pub fn is_unprovisioned(&self) -> bool { - self.csr_len == Self::UNPROVISIONED_CSR - } +macro_rules! impl_idevid_csr { + ($type:ty, $size:expr) => { + impl $type { + /// The `csr_len` field is set to this constant when a ROM image supports CSR generation but + /// the CSR generation flag was not enabled. + /// + /// This is used by the runtime to distinguish ROM images that support CSR generation from + /// ones that do not. + /// + /// u32::MAX is too large to be a valid CSR, so we use it to encode this state. + pub const UNPROVISIONED_CSR: u32 = u32::MAX; + + /// Get the CSR buffer + pub fn get(&self) -> Option<&[u8]> { + self.csr.get(..self.csr_len as usize) + } + + /// Create `Self` from a csr slice. `csr_len` MUST be the actual length of the csr. + pub fn new(csr_buf: &[u8], csr_len: usize) -> CaliptraResult { + if csr_len >= $size { + return Err(CaliptraError::ROM_IDEVID_INVALID_CSR); + } + + let mut _self = Self { + csr_len: csr_len as u32, + csr: [0; $size], + }; + _self.csr[..csr_len].copy_from_slice(&csr_buf[..csr_len]); + + Ok(_self) + } + + /// Get the length of the CSR in bytes. + pub fn get_csr_len(&self) -> u32 { + self.csr_len + } + + /// Check if the CSR was unprovisioned + pub fn is_unprovisioned(&self) -> bool { + self.csr_len == Self::UNPROVISIONED_CSR + } + } + }; } -const _: () = assert!(size_of::() < memory_layout::IDEVID_CSR_SIZE as usize); +impl_idevid_csr!(Ecc384IdevIdCsr, ECC384_MAX_CSR_SIZE); +impl_idevid_csr!(Mldsa87IdevIdCsr, MLDSA87_MAX_CSR_SIZE); + +const _: () = + assert!(size_of::() < memory_layout::ECC384_IDEVID_CSR_SIZE as usize); #[derive(FromBytes, AsBytes, Zeroize)] #[repr(C)] @@ -166,8 +191,13 @@ pub struct PersistentData { pub auth_manifest_image_metadata_col: [u8; memory_layout::AUTH_MAN_IMAGE_METADATA_MAX_SIZE as usize], - pub idevid_csr: IdevIdCsr, - reserved10: [u8; memory_layout::IDEVID_CSR_SIZE as usize - size_of::()], + pub ecc384_idevid_csr: Ecc384IdevIdCsr, + reserved10: [u8; memory_layout::ECC384_IDEVID_CSR_SIZE as usize - size_of::()], + + // New field addition + pub mldsa87_idevid_csr: Mldsa87IdevIdCsr, + reserved11: + [u8; memory_layout::MLDSA87_IDEVID_CSR_SIZE as usize - size_of::()], } impl PersistentData { @@ -201,12 +231,16 @@ impl PersistentData { memory_layout::AUTH_MAN_IMAGE_METADATA_LIST_ORG ); assert_eq!( - addr_of!((*P).idevid_csr) as u32, - memory_layout::IDEVID_CSR_ORG + addr_of!((*P).ecc384_idevid_csr) as u32, + memory_layout::ECC384_IDEVID_CSR_ORG + ); + assert_eq!( + addr_of!((*P).mldsa87_idevid_csr) as u32, + memory_layout::MLDSA87_IDEVID_CSR_ORG ); assert_eq!( P.add(1) as u32, - memory_layout::IDEVID_CSR_ORG + memory_layout::IDEVID_CSR_SIZE + memory_layout::MLDSA87_IDEVID_CSR_ORG + memory_layout::MLDSA87_IDEVID_CSR_SIZE ); } } diff --git a/fmc/src/flow/rt_alias.rs b/fmc/src/flow/rt_alias.rs index 816316b2b7..8e1ce3368e 100644 --- a/fmc/src/flow/rt_alias.rs +++ b/fmc/src/flow/rt_alias.rs @@ -30,7 +30,7 @@ use caliptra_drivers::{ okref, report_boot_status, CaliptraError, CaliptraResult, Ecc384Result, KeyId, PersistentData, ResetReason, }; -use caliptra_x509::{NotAfter, NotBefore, RtAliasCertTbs, RtAliasCertTbsParams}; +use caliptra_x509::{NotAfter, NotBefore, RtAliasCertTbsEcc384, RtAliasCertTbsEcc384Params}; const SHA384_HASH_SIZE: usize = 48; @@ -271,8 +271,8 @@ impl RtAliasLayer { env: &mut FmcEnv, input: &DiceInput, output: &DiceOutput, - not_before: &[u8; RtAliasCertTbsParams::NOT_BEFORE_LEN], - not_after: &[u8; RtAliasCertTbsParams::NOT_AFTER_LEN], + not_before: &[u8; RtAliasCertTbsEcc384Params::NOT_BEFORE_LEN], + not_after: &[u8; RtAliasCertTbsEcc384Params::NOT_AFTER_LEN], ) -> CaliptraResult<()> { let auth_priv_key = input.auth_key_pair.priv_key; let auth_pub_key = &input.auth_key_pair.pub_key; @@ -284,7 +284,7 @@ impl RtAliasLayer { let rt_svn = HandOff::rt_svn(env) as u8; // Certificate `To Be Signed` Parameters - let params = RtAliasCertTbsParams { + let params = RtAliasCertTbsEcc384Params { // Do we need the UEID here? ueid: &X509::ueid(env)?, subject_sn: &output.subj_sn, @@ -301,7 +301,7 @@ impl RtAliasLayer { }; // Generate the `To Be Signed` portion of the CSR - let tbs = RtAliasCertTbs::new(¶ms); + let tbs = RtAliasCertTbsEcc384::new(¶ms); // Sign the `To Be Signed` portion cprintln!( diff --git a/rom/dev/src/crypto.rs b/rom/dev/src/crypto.rs index 2a48ad0428..dbcd202361 100644 --- a/rom/dev/src/crypto.rs +++ b/rom/dev/src/crypto.rs @@ -321,4 +321,40 @@ impl Crypto { pub_key, }) } + + /// Sign the data using MLDSA Private Key. + /// Verify the signature using the MLDSA Public Key. + /// + /// This routine calculates the digest of the `data`, signs the hash and returns the signature. + /// This routine also verifies the signature using the public key. + /// + /// # Arguments + /// + /// * `env` - ROM Environment + /// * `priv_key` - Key slot to retrieve the private key + /// * `data` - Input data to hash + /// + /// # Returns + /// + /// * `Mldsa384Signature` - Signature + #[inline(always)] + pub fn mldsa87_sign_and_verify( + env: &mut RomEnv, + priv_key: KeyId, + pub_key: &Mldsa87PubKey, + data: &[u8], + ) -> CaliptraResult { + let mut digest = Self::sha512_digest(env, data); + let digest = okmutref(&mut digest)?; + let priv_key_args = KeyReadArgs::new(priv_key); + let result = env.mldsa.sign( + &priv_key_args, + pub_key, + digest, + &Mldsa87SignRnd::default(), + &mut env.trng, + ); + digest.0.zeroize(); + result + } } diff --git a/rom/dev/src/flow/cold_reset/fmc_alias.rs b/rom/dev/src/flow/cold_reset/fmc_alias.rs index aa130dc04d..78ba4afc28 100644 --- a/rom/dev/src/flow/cold_reset/fmc_alias.rs +++ b/rom/dev/src/flow/cold_reset/fmc_alias.rs @@ -33,7 +33,7 @@ use caliptra_common::RomBootStatus::*; use caliptra_drivers::{ okmutref, report_boot_status, Array4x12, CaliptraResult, HmacMode, KeyId, Lifecycle, }; -use caliptra_x509::{FmcAliasCertTbs, FmcAliasCertTbsParams}; +use caliptra_x509::{FmcAliasCertTbsEcc384, FmcAliasCertTbsEcc384Params}; use zeroize::Zeroize; #[derive(Default)] @@ -219,7 +219,7 @@ impl FmcAliasLayer { hasher.finalize(&mut fuse_info_digest)?; // Certificate `To Be Signed` Parameters - let params = FmcAliasCertTbsParams { + let params = FmcAliasCertTbsEcc384Params { ueid: &X509::ueid(env)?, subject_sn: &output.ecc_subj_sn, subject_key_id: &output.ecc_subj_key_id, @@ -237,7 +237,7 @@ impl FmcAliasLayer { }; // Generate the `To Be Signed` portion of the CSR - let tbs = FmcAliasCertTbs::new(¶ms); + let tbs = FmcAliasCertTbsEcc384::new(¶ms); // Sign the `To Be Signed` portion cprintln!( diff --git a/rom/dev/src/flow/cold_reset/fw_processor.rs b/rom/dev/src/flow/cold_reset/fw_processor.rs index dc290b86a4..ca034970c4 100644 --- a/rom/dev/src/flow/cold_reset/fw_processor.rs +++ b/rom/dev/src/flow/cold_reset/fw_processor.rs @@ -315,7 +315,7 @@ impl FirmwareProcessor { let mut request = MailboxReqHeader::default(); Self::copy_req_verify_chksum(&mut txn, request.as_bytes_mut())?; - let csr_persistent_mem = &persistent_data.idevid_csr; + let csr_persistent_mem = &persistent_data.ecc384_idevid_csr; let mut resp = GetIdevCsrResp::default(); if csr_persistent_mem.is_unprovisioned() { diff --git a/rom/dev/src/flow/cold_reset/idev_id.rs b/rom/dev/src/flow/cold_reset/idev_id.rs index aa7f5afb18..b7b311b8c9 100644 --- a/rom/dev/src/flow/cold_reset/idev_id.rs +++ b/rom/dev/src/flow/cold_reset/idev_id.rs @@ -27,8 +27,8 @@ use caliptra_common::keyids::{ KEY_ID_UDS, }; use caliptra_common::RomBootStatus::*; -use caliptra_drivers::MAX_CSR_SIZE; use caliptra_drivers::*; +use caliptra_drivers::{ECC384_MAX_CSR_SIZE, MLDSA87_MAX_CSR_SIZE}; use caliptra_x509::*; use zeroize::Zeroize; @@ -108,7 +108,7 @@ impl InitDevIdLayer { }; // Generate the Initial DevID Certificate Signing Request (CSR) - Self::generate_csr(env, &output)?; + Self::generate_csrs(env, &output)?; // Indicate (if not already done) to SOC that it can start uploading the firmware image to the mailbox. if !env.soc_ifc.flow_status_ready_for_firmware() { @@ -228,7 +228,7 @@ impl InitDevIdLayer { Ok((ecc_keypair, mldsa_keypair)) } - /// Generate Local Device ID CSR + /// Generate Local Device ID CSRs /// /// # Arguments /// @@ -236,14 +236,14 @@ impl InitDevIdLayer { /// * `output` - DICE Output // Inlined to reduce ROM size #[inline(always)] - fn generate_csr(env: &mut RomEnv, output: &DiceOutput) -> CaliptraResult<()> { + fn generate_csrs(env: &mut RomEnv, output: &DiceOutput) -> CaliptraResult<()> { // // Generate the CSR if requested via Manufacturing Service Register // // A flag is asserted via JTAG interface to enable the generation of CSR if !env.soc_ifc.mfg_flag_gen_idev_id_csr() { - let dev_id_csr = IdevIdCsr::default(); - Self::write_csr_to_peristent_storage(env, &dev_id_csr)?; + let dev_id_csr = Ecc384IdevIdCsr::default(); + Self::write_ecc384_csr_to_peristent_storage(env, &dev_id_csr)?; return Ok(()); } @@ -263,7 +263,7 @@ impl InitDevIdLayer { let key_pair = &output.ecc_subj_key_pair; // CSR `To Be Signed` Parameters - let params = InitDevIdCsrTbsParams { + let params = InitDevIdCsrTbsEcc384Params { // Unique Endpoint Identifier ueid: &X509::ueid(env)?, @@ -275,10 +275,10 @@ impl InitDevIdLayer { }; // Generate the `To Be Signed` portion of the CSR - let tbs = InitDevIdCsrTbs::new(¶ms); + let tbs = InitDevIdCsrTbsEcc384::new(¶ms); cprintln!( - "[idev] Sign CSR w/ SUBJECT.KEYID = {}", + "[idev] ECC Sign CSR w/ SUBJECT.KEYID = {}", key_pair.priv_key as u8 ); @@ -289,16 +289,16 @@ impl InitDevIdLayer { let _pub_x: [u8; 48] = key_pair.pub_key.x.into(); let _pub_y: [u8; 48] = key_pair.pub_key.y.into(); - cprintln!("[idev] PUB.X = {}", HexBytes(&_pub_x)); - cprintln!("[idev] PUB.Y = {}", HexBytes(&_pub_y)); + cprintln!("[idev] ECC PUB.X = {}", HexBytes(&_pub_x)); + cprintln!("[idev] ECC PUB.Y = {}", HexBytes(&_pub_y)); let _sig_r: [u8; 48] = (&sig.r).into(); let _sig_s: [u8; 48] = (&sig.s).into(); - cprintln!("[idev] SIG.R = {}", HexBytes(&_sig_r)); - cprintln!("[idev] SIG.S = {}", HexBytes(&_sig_s)); + cprintln!("[idev] ECC SIG.R = {}", HexBytes(&_sig_r)); + cprintln!("[idev] ECC SIG.S = {}", HexBytes(&_sig_s)); // Build the CSR with `To Be Signed` & `Signature` - let mut csr_buf = [0; MAX_CSR_SIZE]; + let mut ecc384_csr_buf = [0; ECC384_MAX_CSR_SIZE]; let ecdsa384_sig = sig.to_ecdsa(); let result = Ecdsa384CsrBuilder::new(tbs.tbs(), &ecdsa384_sig) .ok_or(CaliptraError::ROM_IDEVID_CSR_BUILDER_INIT_FAILURE); @@ -306,32 +306,99 @@ impl InitDevIdLayer { let csr_bldr = result?; let csr_len = csr_bldr - .build(&mut csr_buf) + .build(&mut ecc384_csr_buf) .ok_or(CaliptraError::ROM_IDEVID_CSR_BUILDER_BUILD_FAILURE)?; - if csr_len > csr_buf.len() { + if csr_len > ecc384_csr_buf.len() { return Err(CaliptraError::ROM_IDEVID_CSR_OVERFLOW); } - // [TODO] Generate MLDSA CSR. + cprintln!("[idev] CSR = {}", HexBytes(&ecc384_csr_buf[..csr_len])); - cprintln!("[idev] CSR = {}", HexBytes(&csr_buf[..csr_len])); - report_boot_status(IDevIdMakeCsrComplete.into()); - - let dev_id_csr = IdevIdCsr::new(&csr_buf, csr_len)?; + let dev_id_csr = Ecc384IdevIdCsr::new(&ecc384_csr_buf, csr_len)?; // Execute Send CSR Flow - let mut result = Self::send_csr(env, &dev_id_csr); + let mut result = Self::send_ecc384_csr(env, &dev_id_csr); if result.is_ok() { - result = Self::write_csr_to_peristent_storage(env, &dev_id_csr); + result = Self::write_ecc384_csr_to_peristent_storage(env, &dev_id_csr); + } + ecc384_csr_buf.zeroize(); + + result?; + + // Generate MLDSA CSR. + let key_pair = &output.mldsa_subj_key_pair; + + let params = InitDevIdCsrTbsMlDsa87Params { + // Unique Endpoint Identifier + ueid: &X509::ueid(env)?, + + // Subject Name + subject_sn: &output.mldsa_subj_sn, + + // Public Key + public_key: &key_pair.pub_key.into(), + }; + + // Generate the `To Be Signed` portion of the CSR + let tbs = InitDevIdCsrTbsMlDsa87::new(¶ms); + + cprintln!( + "[idev] MLDSA Sign CSR w/ SUBJECT.KEYID = {}", + key_pair.key_pair_seed as u8 + ); + + // Sign the `To Be Signed` portion + let sig = Crypto::mldsa87_sign_and_verify( + env, + key_pair.key_pair_seed, + &key_pair.pub_key, + tbs.tbs(), + )?; + let sig: [u8; 4628] = sig.into(); + let mut sig: [u8; 4627] = sig[..4627].try_into().unwrap(); + + // Build the CSR with `To Be Signed` & `Signature` + let mut mldsa87_csr_buf = [0; MLDSA87_MAX_CSR_SIZE]; + let mldsa87_signature = caliptra_x509::Mldsa87Signature { sig }; + let result = MlDsa87CsrBuilder::new(tbs.tbs(), &mldsa87_signature) + .ok_or(CaliptraError::ROM_IDEVID_CSR_BUILDER_INIT_FAILURE); + sig.zeroize(); + + let csr_bldr = result?; + let csr_len = csr_bldr + .build(&mut mldsa87_csr_buf) + .ok_or(CaliptraError::ROM_IDEVID_CSR_BUILDER_BUILD_FAILURE)?; + + if csr_len > mldsa87_csr_buf.len() { + return Err(CaliptraError::ROM_IDEVID_CSR_OVERFLOW); } - csr_buf.zeroize(); + + let dev_id_csr = Mldsa87IdevIdCsr::new(&mldsa87_csr_buf, csr_len)?; + + let result = Self::write_mldsa87_csr_to_peristent_storage(env, &dev_id_csr); + mldsa87_csr_buf.zeroize(); + + report_boot_status(IDevIdMakeCsrComplete.into()); result } - fn write_csr_to_peristent_storage(env: &mut RomEnv, csr: &IdevIdCsr) -> CaliptraResult<()> { - let csr_persistent_mem = &mut env.persistent_data.get_mut().idevid_csr; + fn write_ecc384_csr_to_peristent_storage( + env: &mut RomEnv, + csr: &Ecc384IdevIdCsr, + ) -> CaliptraResult<()> { + let csr_persistent_mem = &mut env.persistent_data.get_mut().ecc384_idevid_csr; + *csr_persistent_mem = csr.clone(); + + Ok(()) + } + + fn write_mldsa87_csr_to_peristent_storage( + env: &mut RomEnv, + csr: &Mldsa87IdevIdCsr, + ) -> CaliptraResult<()> { + let csr_persistent_mem = &mut env.persistent_data.get_mut().mldsa87_idevid_csr; *csr_persistent_mem = csr.clone(); Ok(()) @@ -342,8 +409,8 @@ impl InitDevIdLayer { /// # Argument /// /// * `env` - ROM Environment - /// * `csr` - Certificate Signing Request to send to SOC - fn send_csr(env: &mut RomEnv, csr: &IdevIdCsr) -> CaliptraResult<()> { + /// * `csr` - ificate Signing Request to send to SOC + fn send_ecc384_csr(env: &mut RomEnv, csr: &Ecc384IdevIdCsr) -> CaliptraResult<()> { loop { // Create Mailbox send transaction to send the CSR if let Some(mut txn) = env.mbox.try_start_send_txn() { @@ -367,15 +434,17 @@ impl InitDevIdLayer { } } } + + // TODO MLDSA87 version of sending to mailbox? } #[cfg(test)] mod tests { use super::*; - use caliptra_drivers::memory_layout::IDEVID_CSR_SIZE; + use caliptra_drivers::memory_layout::ECC384_IDEVID_CSR_SIZE; #[test] fn verify_csr_fits_in_dccm() { - assert!(MAX_CSR_SIZE <= IDEVID_CSR_SIZE as usize); + assert!(ECC384_MAX_CSR_SIZE <= ECC384_IDEVID_CSR_SIZE as usize); } } diff --git a/rom/dev/src/flow/cold_reset/ldev_id.rs b/rom/dev/src/flow/cold_reset/ldev_id.rs index 898ce72c80..2b3225ba23 100644 --- a/rom/dev/src/flow/cold_reset/ldev_id.rs +++ b/rom/dev/src/flow/cold_reset/ldev_id.rs @@ -190,7 +190,7 @@ impl LocalDevIdLayer { let ecc_serial_number = okref(&ecc_serial_number)?; // CSR `To Be Signed` Parameters - let ecc_tbs_params = LocalDevIdCertTbsParams { + let ecc_tbs_params = LocalDevIdCertTbsEcc384Params { ueid: &X509::ueid(env)?, subject_sn: &output.ecc_subj_sn, subject_key_id: &output.ecc_subj_key_id, @@ -203,7 +203,7 @@ impl LocalDevIdLayer { }; // Generate the ECC `To Be Signed` portion of the CSR - let ecc_tbs = LocalDevIdCertTbs::new(&ecc_tbs_params); + let ecc_tbs = LocalDevIdCertTbsEcc384::new(&ecc_tbs_params); // Sign the `To Be Signed` portion cprintln!( diff --git a/rom/dev/tools/test-fmc/src/main.rs b/rom/dev/tools/test-fmc/src/main.rs index da6a6ca3cf..176f3aca77 100644 --- a/rom/dev/tools/test-fmc/src/main.rs +++ b/rom/dev/tools/test-fmc/src/main.rs @@ -25,7 +25,9 @@ use caliptra_drivers::{ use caliptra_registers::dv::DvReg; use caliptra_registers::pv::PvReg; use caliptra_registers::soc_ifc::SocIfcReg; -use caliptra_x509::{Ecdsa384CertBuilder, Ecdsa384Signature, FmcAliasCertTbs, LocalDevIdCertTbs}; +use caliptra_x509::{ + Ecdsa384CertBuilder, Ecdsa384Signature, FmcAliasCertTbsEcc384, LocalDevIdCertTbsEcc384, +}; use ureg::RealMmioMut; use zerocopy::AsBytes; @@ -116,13 +118,13 @@ fn create_certs(mbox: &caliptra_registers::mbox::RegisterBlock) { r: sig.r.into(), s: sig.s.into(), }; - let mut tbs: [u8; core::mem::size_of::()] = - [0u8; core::mem::size_of::()]; + let mut tbs: [u8; core::mem::size_of::()] = + [0u8; core::mem::size_of::()]; copy_tbs(&mut tbs, true); let mut cert: [u8; 1024] = [0u8; 1024]; let builder = Ecdsa384CertBuilder::new( - &tbs[..core::mem::size_of::()], + &tbs[..core::mem::size_of::()], &ecdsa_sig, ) .unwrap(); @@ -144,14 +146,16 @@ fn create_certs(mbox: &caliptra_registers::mbox::RegisterBlock) { s: sig.s.into(), }; - let mut tbs: [u8; core::mem::size_of::()] = - [0u8; core::mem::size_of::()]; + let mut tbs: [u8; core::mem::size_of::()] = + [0u8; core::mem::size_of::()]; copy_tbs(&mut tbs, false); let mut cert: [u8; 1024] = [0u8; 1024]; - let builder = - Ecdsa384CertBuilder::new(&tbs[..core::mem::size_of::()], &ecdsa_sig) - .unwrap(); + let builder = Ecdsa384CertBuilder::new( + &tbs[..core::mem::size_of::()], + &ecdsa_sig, + ) + .unwrap(); let _cert_len = builder.build(&mut cert).unwrap(); cprint_slice_ref!("[fmc] FMCALIAS cert", &cert[.._cert_len]); diff --git a/runtime/src/get_idev_csr.rs b/runtime/src/get_idev_csr.rs index 5ec4b2ef60..0400fe0208 100644 --- a/runtime/src/get_idev_csr.rs +++ b/runtime/src/get_idev_csr.rs @@ -11,7 +11,7 @@ use caliptra_common::{ }; use caliptra_error::{CaliptraError, CaliptraResult}; -use caliptra_drivers::IdevIdCsr; +use caliptra_drivers::Ecc384IdevIdCsr; use zerocopy::{AsBytes, FromBytes}; @@ -21,10 +21,10 @@ impl GetIdevCsrCmd { #[inline(never)] pub(crate) fn execute(drivers: &mut Drivers, cmd_args: &[u8]) -> CaliptraResult { if let Some(cmd) = GetIdevCsrReq::read_from(cmd_args) { - let csr_persistent_mem = &drivers.persistent_data.get().idevid_csr; + let csr_persistent_mem = &drivers.persistent_data.get().ecc384_idevid_csr; match csr_persistent_mem.get_csr_len() { - IdevIdCsr::UNPROVISIONED_CSR => { + Ecc384IdevIdCsr::UNPROVISIONED_CSR => { Err(CaliptraError::RUNTIME_GET_IDEV_ID_UNPROVISIONED) } 0 => Err(CaliptraError::RUNTIME_GET_IDEV_ID_UNSUPPORTED_ROM), diff --git a/runtime/tests/runtime_integration_tests/test_get_idev_csr.rs b/runtime/tests/runtime_integration_tests/test_get_idev_csr.rs index 13078f7e60..63e142af6e 100644 --- a/runtime/tests/runtime_integration_tests/test_get_idev_csr.rs +++ b/runtime/tests/runtime_integration_tests/test_get_idev_csr.rs @@ -2,7 +2,7 @@ use caliptra_api::SocManager; use caliptra_common::mailbox_api::{CommandId, GetIdevCsrResp, MailboxReqHeader}; -use caliptra_drivers::{IdevIdCsr, MfgFlags}; +use caliptra_drivers::{Ecc384IdevIdCsr, MfgFlags}; use caliptra_error::CaliptraError; use caliptra_hw_model::{HwModel, ModelError}; use caliptra_runtime::RtBootStatus; @@ -32,7 +32,10 @@ fn test_get_csr() { let get_idv_csr_resp = GetIdevCsrResp::read_from(response.as_bytes()).unwrap(); - assert_ne!(IdevIdCsr::UNPROVISIONED_CSR, get_idv_csr_resp.data_size); + assert_ne!( + Ecc384IdevIdCsr::UNPROVISIONED_CSR, + get_idv_csr_resp.data_size + ); assert_ne!(0, get_idv_csr_resp.data_size); let csr_bytes = &get_idv_csr_resp.data[..get_idv_csr_resp.data_size as usize]; diff --git a/x509/build/build.rs b/x509/build/build.rs index aa728c6eaa..9f51630e2a 100644 --- a/x509/build/build.rs +++ b/x509/build/build.rs @@ -38,16 +38,16 @@ fn main() { let out_dir_os_str = env::var_os("OUT_DIR").unwrap(); let out_dir = out_dir_os_str.to_str().unwrap(); - gen_init_devid_csr(out_dir); - gen_local_devid_cert(out_dir); - gen_fmc_alias_cert(out_dir); - gen_rt_alias_cert(out_dir); + gen_init_devid_csr_ecc384(out_dir); + gen_local_devid_cert_ecc384(out_dir); + gen_fmc_alias_cert_ecc384(out_dir); + gen_rt_alias_cert_ecc384(out_dir); } } /// Generated Initial DeviceId Cert Signing request Template #[cfg(feature = "generate_templates")] -fn gen_init_devid_csr(out_dir: &str) { +fn gen_init_devid_csr_ecc384(out_dir: &str) { let mut usage = KeyUsage::default(); usage.set_key_cert_sign(true); let bldr = csr::CsrTemplateBuilder::::new() @@ -55,12 +55,12 @@ fn gen_init_devid_csr(out_dir: &str) { .add_key_usage_ext(usage) .add_ueid_ext(&[0xFF; 17]); let template = bldr.tbs_template("Caliptra 1.0 IDevID"); - CodeGen::gen_code("InitDevIdCsrTbs", template, out_dir); + CodeGen::gen_code("InitDevIdCsrTbsEcc384", template, out_dir); } /// Generate Local DeviceId Certificate Template #[cfg(feature = "generate_templates")] -fn gen_local_devid_cert(out_dir: &str) { +fn gen_local_devid_cert_ecc384(out_dir: &str) { let mut usage = KeyUsage::default(); usage.set_key_cert_sign(true); let bldr = cert::CertTemplateBuilder::::new() @@ -68,12 +68,12 @@ fn gen_local_devid_cert(out_dir: &str) { .add_key_usage_ext(usage) .add_ueid_ext(&[0xFF; 17]); let template = bldr.tbs_template("Caliptra 1.0 LDevID", "Caliptra 1.0 IDevID"); - CodeGen::gen_code("LocalDevIdCertTbs", template, out_dir); + CodeGen::gen_code("LocalDevIdCertTbsEcc384", template, out_dir); } /// Generate FMC Alias Certificate Template #[cfg(feature = "generate_templates")] -fn gen_fmc_alias_cert(out_dir: &str) { +fn gen_fmc_alias_cert_ecc384(out_dir: &str) { let mut usage = KeyUsage::default(); usage.set_key_cert_sign(true); let bldr = cert::CertTemplateBuilder::::new() @@ -99,12 +99,12 @@ fn gen_fmc_alias_cert(out_dir: &str) { }], ); let template = bldr.tbs_template("Caliptra 1.0 FMC Alias", "Caliptra 1.0 LDevID"); - CodeGen::gen_code("FmcAliasCertTbs", template, out_dir); + CodeGen::gen_code("FmcAliasCertTbsEcc384", template, out_dir); } /// Generate FMC Alias Certificate Template #[cfg(feature = "generate_templates")] -fn gen_rt_alias_cert(out_dir: &str) { +fn gen_rt_alias_cert_ecc384(out_dir: &str) { let mut usage = KeyUsage::default(); // Add KeyCertSign to allow signing of other certs usage.set_key_cert_sign(true); @@ -123,5 +123,5 @@ fn gen_rt_alias_cert(out_dir: &str) { }, }]); let template = bldr.tbs_template("Caliptra 1.0 Rt Alias", "Caliptra 1.0 FMC Alias"); - CodeGen::gen_code("RtAliasCertTbs", template, out_dir); + CodeGen::gen_code("RtAliasCertTbsEcc384", template, out_dir); } diff --git a/x509/build/fmc_alias_cert_tbs.rs b/x509/build/fmc_alias_cert_tbs_ecc_384.rs similarity index 97% rename from x509/build/fmc_alias_cert_tbs.rs rename to x509/build/fmc_alias_cert_tbs_ecc_384.rs index f8c623efe6..51efcddeb9 100644 --- a/x509/build/fmc_alias_cert_tbs.rs +++ b/x509/build/fmc_alias_cert_tbs_ecc_384.rs @@ -7,7 +7,7 @@ Abstract: Regenerate the template by building caliptra-x509-build with the generate-templates flag. --"] -pub struct FmcAliasCertTbsParams<'a> { +pub struct FmcAliasCertTbsEcc384Params<'a> { pub public_key: &'a [u8; 97usize], pub subject_sn: &'a [u8; 64usize], pub issuer_sn: &'a [u8; 64usize], @@ -23,7 +23,7 @@ pub struct FmcAliasCertTbsParams<'a> { pub tcb_info_fmc_svn: &'a [u8; 1usize], pub tcb_info_fmc_svn_fuses: &'a [u8; 1usize], } -impl<'a> FmcAliasCertTbsParams<'a> { +impl<'a> FmcAliasCertTbsEcc384Params<'a> { pub const PUBLIC_KEY_LEN: usize = 97usize; pub const SUBJECT_SN_LEN: usize = 64usize; pub const ISSUER_SN_LEN: usize = 64usize; @@ -39,10 +39,10 @@ impl<'a> FmcAliasCertTbsParams<'a> { pub const TCB_INFO_FMC_SVN_LEN: usize = 1usize; pub const TCB_INFO_FMC_SVN_FUSES_LEN: usize = 1usize; } -pub struct FmcAliasCertTbs { +pub struct FmcAliasCertTbsEcc384 { tbs: [u8; Self::TBS_TEMPLATE_LEN], } -impl FmcAliasCertTbs { +impl FmcAliasCertTbsEcc384 { const PUBLIC_KEY_OFFSET: usize = 319usize; const SUBJECT_SN_OFFSET: usize = 232usize; const ISSUER_SN_OFFSET: usize = 86usize; @@ -124,7 +124,7 @@ impl FmcAliasCertTbs { 4u8, 24u8, 48u8, 22u8, 128u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, ]; - pub fn new(params: &FmcAliasCertTbsParams) -> Self { + pub fn new(params: &FmcAliasCertTbsEcc384Params) -> Self { let mut template = Self { tbs: Self::TBS_TEMPLATE, }; @@ -140,7 +140,7 @@ impl FmcAliasCertTbs { pub fn tbs(&self) -> &[u8] { &self.tbs } - fn apply(&mut self, params: &FmcAliasCertTbsParams) { + fn apply(&mut self, params: &FmcAliasCertTbsEcc384Params) { #[inline(always)] fn apply_slice( buf: &mut [u8; 753usize], diff --git a/x509/build/fmc_alias_cert_tbs_mldsa_87.rs b/x509/build/fmc_alias_cert_tbs_mldsa_87.rs new file mode 100644 index 0000000000..40287bca7a --- /dev/null +++ b/x509/build/fmc_alias_cert_tbs_mldsa_87.rs @@ -0,0 +1,210 @@ +#[doc = "++ + +Licensed under the Apache-2.0 license. + +Abstract: + +--"] + +// TODO generate when x509 libraries support MLDSA + +pub struct FmcAliasCertTbsMlDsa87Params<'a> { + pub public_key: &'a [u8; 2592usize], + pub subject_sn: &'a [u8; 64usize], + pub issuer_sn: &'a [u8; 64usize], + pub tcb_info_device_info_hash: &'a [u8; 48usize], + pub tcb_info_fmc_tci: &'a [u8; 48usize], + pub serial_number: &'a [u8; 20usize], + pub subject_key_id: &'a [u8; 20usize], + pub authority_key_id: &'a [u8; 20usize], + pub ueid: &'a [u8; 17usize], + pub not_before: &'a [u8; 15usize], + pub not_after: &'a [u8; 15usize], + pub tcb_info_flags: &'a [u8; 4usize], + pub tcb_info_fmc_svn: &'a [u8; 1usize], + pub tcb_info_fmc_svn_fuses: &'a [u8; 1usize], +} + +#[allow(dead_code)] +impl<'a> FmcAliasCertTbsMlDsa87Params<'a> { + pub const PUBLIC_KEY_LEN: usize = 2592usize; + pub const SUBJECT_SN_LEN: usize = 64usize; + pub const ISSUER_SN_LEN: usize = 64usize; + pub const TCB_INFO_DEVICE_INFO_HASH_LEN: usize = 48usize; + pub const TCB_INFO_FMC_TCI_LEN: usize = 48usize; + pub const SERIAL_NUMBER_LEN: usize = 20usize; + pub const SUBJECT_KEY_ID_LEN: usize = 20usize; + pub const AUTHORITY_KEY_ID_LEN: usize = 20usize; + pub const UEID_LEN: usize = 17usize; + pub const NOT_BEFORE_LEN: usize = 15usize; + pub const NOT_AFTER_LEN: usize = 15usize; + pub const TCB_INFO_FLAGS_LEN: usize = 4usize; + pub const TCB_INFO_FMC_SVN_LEN: usize = 1usize; + pub const TCB_INFO_FMC_SVN_FUSES_LEN: usize = 1usize; +} +#[allow(dead_code)] +pub struct FmcAliasCertTbsMlDsa87 { + tbs: [u8; Self::TBS_TEMPLATE_LEN], +} + +#[allow(dead_code)] +impl FmcAliasCertTbsMlDsa87 { + const PUBLIC_KEY_OFFSET: usize = 318usize; + const SUBJECT_SN_OFFSET: usize = 232usize; + const ISSUER_SN_OFFSET: usize = 86usize; + const TCB_INFO_DEVICE_INFO_HASH_OFFSET: usize = 3027usize; + const TCB_INFO_FMC_TCI_OFFSET: usize = 3125usize; + const SERIAL_NUMBER_OFFSET: usize = 11usize; + const SUBJECT_KEY_ID_OFFSET: usize = 3194usize; + const AUTHORITY_KEY_ID_OFFSET: usize = 3227usize; + const UEID_OFFSET: usize = 2972usize; + const NOT_BEFORE_OFFSET: usize = 154usize; + const NOT_AFTER_OFFSET: usize = 171usize; + const TCB_INFO_FLAGS_OFFSET: usize = 3078usize; + const TCB_INFO_FMC_SVN_OFFSET: usize = 3107usize; + const TCB_INFO_FMC_SVN_FUSES_OFFSET: usize = 3009usize; + const PUBLIC_KEY_LEN: usize = 2592usize; + const SUBJECT_SN_LEN: usize = 64usize; + const ISSUER_SN_LEN: usize = 64usize; + const TCB_INFO_DEVICE_INFO_HASH_LEN: usize = 48usize; + const TCB_INFO_FMC_TCI_LEN: usize = 48usize; + const SERIAL_NUMBER_LEN: usize = 20usize; + const SUBJECT_KEY_ID_LEN: usize = 20usize; + const AUTHORITY_KEY_ID_LEN: usize = 20usize; + const UEID_LEN: usize = 17usize; + const NOT_BEFORE_LEN: usize = 15usize; + const NOT_AFTER_LEN: usize = 15usize; + const TCB_INFO_FLAGS_LEN: usize = 4usize; + const TCB_INFO_FMC_SVN_LEN: usize = 1usize; + const TCB_INFO_FMC_SVN_FUSES_LEN: usize = 1usize; + pub const TBS_TEMPLATE_LEN: usize = 3247usize; + const TBS_TEMPLATE_PART_1: [u8; Self::PUBLIC_KEY_OFFSET] = [ + 48u8, 130u8, 2u8, 237u8, 160u8, 3u8, 2u8, 1u8, 2u8, 2u8, 20u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 0x06, 0x08, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 48u8, 105u8, + 49u8, 28u8, 48u8, 26u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 19u8, 67u8, 97u8, 108u8, 105u8, + 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, 48u8, 32u8, 76u8, 68u8, 101u8, 118u8, 73u8, + 68u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 48u8, 34u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 108u8, 49u8, 31u8, 48u8, 29u8, 6u8, 3u8, 85u8, + 4u8, 3u8, 12u8, 22u8, 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, + 46u8, 48u8, 32u8, 70u8, 77u8, 67u8, 32u8, 65u8, 108u8, 105u8, 97u8, 115u8, 49u8, 73u8, + 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 118u8, 48u8, + 16u8, 6u8, 7u8, 42u8, 134u8, 72u8, 206u8, 61u8, 2u8, 1u8, 6u8, 5u8, 43u8, 129u8, 4u8, 0u8, + 34u8, 4u8, 130u8, 10u8, 32u8]; + + + const TBS_TEMPLATE_PART_2: [u8; 337] = [163u8, 130u8, 1u8, 77u8, + 48u8, 130u8, 1u8, 73u8, 48u8, 18u8, 6u8, 3u8, 85u8, 29u8, 19u8, 1u8, 1u8, 255u8, 4u8, 8u8, + 48u8, 6u8, 1u8, 1u8, 255u8, 2u8, 1u8, 3u8, 48u8, 14u8, 6u8, 3u8, 85u8, 29u8, 15u8, 1u8, + 1u8, 255u8, 4u8, 4u8, 3u8, 2u8, 2u8, 4u8, 48u8, 31u8, 6u8, 6u8, 103u8, 129u8, 5u8, 5u8, + 4u8, 4u8, 4u8, 21u8, 48u8, 19u8, 4u8, 17u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 129u8, 193u8, 6u8, 6u8, 103u8, + 129u8, 5u8, 5u8, 4u8, 5u8, 4u8, 129u8, 182u8, 48u8, 129u8, 179u8, 48u8, 96u8, 131u8, 2u8, + 1u8, 95u8, 166u8, 63u8, 48u8, 61u8, 6u8, 9u8, 96u8, 134u8, 72u8, 1u8, 101u8, 3u8, 4u8, 2u8, + 2u8, 4u8, 48u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 135u8, 5u8, 0u8, 95u8, 95u8, 95u8, 95u8, 137u8, 11u8, + 68u8, 69u8, 86u8, 73u8, 67u8, 69u8, 95u8, 73u8, 78u8, 70u8, 79u8, 138u8, 5u8, 0u8, 208u8, + 0u8, 0u8, 1u8, 48u8, 79u8, 131u8, 2u8, 1u8, 95u8, 166u8, 63u8, 48u8, 61u8, 6u8, 9u8, 96u8, + 134u8, 72u8, 1u8, 101u8, 3u8, 4u8, 2u8, 2u8, 4u8, 48u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 137u8, 8u8, 70u8, + 77u8, 67u8, 95u8, 73u8, 78u8, 70u8, 79u8, 48u8, 29u8, 6u8, 3u8, 85u8, 29u8, 14u8, 4u8, + 22u8, 4u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 31u8, 6u8, 3u8, 85u8, 29u8, 35u8, + 4u8, 24u8, 48u8, 22u8, 128u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + ]; + pub fn new(params: &FmcAliasCertTbsMlDsa87Params) -> Self { + let mut template = Self { + tbs: [0; Self::TBS_TEMPLATE_LEN], + }; + template.tbs[..Self::PUBLIC_KEY_OFFSET].copy_from_slice(&Self::TBS_TEMPLATE_PART_1); + template.tbs[Self::PUBLIC_KEY_OFFSET + Self::PUBLIC_KEY_LEN..].copy_from_slice(&Self::TBS_TEMPLATE_PART_2); + template.apply(params); + template + } + pub fn sign( + &self, + sign_fn: impl Fn(&[u8]) -> Result, + ) -> Result { + sign_fn(&self.tbs) + } + pub fn tbs(&self) -> &[u8] { + &self.tbs + } + fn apply(&mut self, params: &FmcAliasCertTbsMlDsa87Params) { + #[inline(always)] + fn apply_slice( + buf: &mut [u8; FmcAliasCertTbsMlDsa87::TBS_TEMPLATE_LEN], + val: &[u8; LEN], + ) { + buf[OFFSET..OFFSET + LEN].copy_from_slice(val); + } + apply_slice::<{ Self::PUBLIC_KEY_OFFSET }, { Self::PUBLIC_KEY_LEN }>( + &mut self.tbs, + params.public_key, + ); + apply_slice::<{ Self::SUBJECT_SN_OFFSET }, { Self::SUBJECT_SN_LEN }>( + &mut self.tbs, + params.subject_sn, + ); + apply_slice::<{ Self::ISSUER_SN_OFFSET }, { Self::ISSUER_SN_LEN }>( + &mut self.tbs, + params.issuer_sn, + ); + apply_slice::< + { Self::TCB_INFO_DEVICE_INFO_HASH_OFFSET }, + { Self::TCB_INFO_DEVICE_INFO_HASH_LEN }, + >(&mut self.tbs, params.tcb_info_device_info_hash); + apply_slice::<{ Self::TCB_INFO_FMC_TCI_OFFSET }, { Self::TCB_INFO_FMC_TCI_LEN }>( + &mut self.tbs, + params.tcb_info_fmc_tci, + ); + apply_slice::<{ Self::SERIAL_NUMBER_OFFSET }, { Self::SERIAL_NUMBER_LEN }>( + &mut self.tbs, + params.serial_number, + ); + apply_slice::<{ Self::SUBJECT_KEY_ID_OFFSET }, { Self::SUBJECT_KEY_ID_LEN }>( + &mut self.tbs, + params.subject_key_id, + ); + apply_slice::<{ Self::AUTHORITY_KEY_ID_OFFSET }, { Self::AUTHORITY_KEY_ID_LEN }>( + &mut self.tbs, + params.authority_key_id, + ); + apply_slice::<{ Self::UEID_OFFSET }, { Self::UEID_LEN }>(&mut self.tbs, params.ueid); + apply_slice::<{ Self::NOT_BEFORE_OFFSET }, { Self::NOT_BEFORE_LEN }>( + &mut self.tbs, + params.not_before, + ); + apply_slice::<{ Self::NOT_AFTER_OFFSET }, { Self::NOT_AFTER_LEN }>( + &mut self.tbs, + params.not_after, + ); + apply_slice::<{ Self::TCB_INFO_FLAGS_OFFSET }, { Self::TCB_INFO_FLAGS_LEN }>( + &mut self.tbs, + params.tcb_info_flags, + ); + apply_slice::<{ Self::TCB_INFO_FMC_SVN_OFFSET }, { Self::TCB_INFO_FMC_SVN_LEN }>( + &mut self.tbs, + params.tcb_info_fmc_svn, + ); + apply_slice::<{ Self::TCB_INFO_FMC_SVN_FUSES_OFFSET }, { Self::TCB_INFO_FMC_SVN_FUSES_LEN }>( + &mut self.tbs, + params.tcb_info_fmc_svn_fuses, + ); + } +} diff --git a/x509/build/init_dev_id_csr_tbs.rs b/x509/build/init_dev_id_csr_tbs_ecc_384.rs similarity index 93% rename from x509/build/init_dev_id_csr_tbs.rs rename to x509/build/init_dev_id_csr_tbs_ecc_384.rs index c989be7267..04b0542f8e 100644 --- a/x509/build/init_dev_id_csr_tbs.rs +++ b/x509/build/init_dev_id_csr_tbs_ecc_384.rs @@ -7,20 +7,20 @@ Abstract: Regenerate the template by building caliptra-x509-build with the generate-templates flag. --"] -pub struct InitDevIdCsrTbsParams<'a> { +pub struct InitDevIdCsrTbsEcc384Params<'a> { pub ueid: &'a [u8; 17usize], pub public_key: &'a [u8; 97usize], pub subject_sn: &'a [u8; 64usize], } -impl<'a> InitDevIdCsrTbsParams<'a> { +impl<'a> InitDevIdCsrTbsEcc384Params<'a> { pub const UEID_LEN: usize = 17usize; pub const PUBLIC_KEY_LEN: usize = 97usize; pub const SUBJECT_SN_LEN: usize = 64usize; } -pub struct InitDevIdCsrTbs { +pub struct InitDevIdCsrTbsEcc384 { tbs: [u8; Self::TBS_TEMPLATE_LEN], } -impl InitDevIdCsrTbs { +impl InitDevIdCsrTbsEcc384 { const UEID_OFFSET: usize = 305usize; const PUBLIC_KEY_OFFSET: usize = 137usize; const SUBJECT_SN_OFFSET: usize = 50usize; @@ -52,7 +52,7 @@ impl InitDevIdCsrTbs { 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, ]; - pub fn new(params: &InitDevIdCsrTbsParams) -> Self { + pub fn new(params: &InitDevIdCsrTbsEcc384Params) -> Self { let mut template = Self { tbs: Self::TBS_TEMPLATE, }; @@ -68,7 +68,7 @@ impl InitDevIdCsrTbs { pub fn tbs(&self) -> &[u8] { &self.tbs } - fn apply(&mut self, params: &InitDevIdCsrTbsParams) { + fn apply(&mut self, params: &InitDevIdCsrTbsEcc384Params) { #[inline(always)] fn apply_slice( buf: &mut [u8; 322usize], diff --git a/x509/build/init_dev_id_csr_tbs_mldsa_87.rs b/x509/build/init_dev_id_csr_tbs_mldsa_87.rs new file mode 100644 index 0000000000..3e0c2b0708 --- /dev/null +++ b/x509/build/init_dev_id_csr_tbs_mldsa_87.rs @@ -0,0 +1,94 @@ +#[doc = "++ + +Licensed under the Apache-2.0 license. + +Abstract: + +--"] +// TODO generate when x509 libraries support MLDSA +#[allow(dead_code)] +pub struct InitDevIdCsrTbsMlDsa87Params<'a> { + pub ueid: &'a [u8; 17usize], + pub public_key: &'a [u8; 2592usize], + pub subject_sn: &'a [u8; 64usize], +} + +#[allow(dead_code)] +impl<'a> InitDevIdCsrTbsMlDsa87Params<'a> { + pub const UEID_LEN: usize = 17usize; + pub const PUBLIC_KEY_LEN: usize = 2592usize; + pub const SUBJECT_SN_LEN: usize = 64usize; +} + +#[allow(dead_code)] +pub struct InitDevIdCsrTbsMlDsa87 { + tbs: [u8; Self::TBS_TEMPLATE_LEN], +} +#[allow(dead_code)] +impl InitDevIdCsrTbsMlDsa87 { + const UEID_OFFSET: usize = 2801usize; + const PUBLIC_KEY_OFFSET: usize = 138usize; + const SUBJECT_SN_OFFSET: usize = 50usize; + const UEID_LEN: usize = 17usize; + const PUBLIC_KEY_LEN: usize = 2592usize; + const SUBJECT_SN_LEN: usize = 64usize; + pub const TBS_TEMPLATE_LEN: usize = 2818usize; + const TBS_TEMPLATE_PART_1: [u8; 138] = [ + 48u8, 130u8, 1u8, 62u8, 2u8, 1u8, 0u8, 48u8, 105u8, 49u8, 28u8, 48u8, 26u8, 6u8, 3u8, 85u8, + 4u8, 3u8, 12u8, 19u8, 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, + 46u8, 48u8, 32u8, 73u8, 68u8, 101u8, 118u8, 73u8, 68u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, + 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 118u8, 48u8, 16u8, 6u8, 7u8, + 42u8, 134u8, 72u8, 206u8, 61u8, 2u8, 1u8, 6u8, 5u8, 43u8, 129u8, 4u8, 0u8, 34u8, 4u8, + 130u8, 10u8, 32u8, + ]; + + const TBS_TEMPLATE_PART_2: [u8; 88] = [ + 160u8, 86u8, 48u8, 84u8, 6u8, 9u8, 42u8, 134u8, 72u8, 134u8, 247u8, 13u8, 1u8, 9u8, 14u8, + 49u8, 71u8, 48u8, 69u8, 48u8, 18u8, 6u8, 3u8, 85u8, 29u8, 19u8, 1u8, 1u8, 255u8, 4u8, 8u8, + 48u8, 6u8, 1u8, 1u8, 255u8, 2u8, 1u8, 5u8, 48u8, 14u8, 6u8, 3u8, 85u8, 29u8, 15u8, 1u8, + 1u8, 255u8, 4u8, 4u8, 3u8, 2u8, 2u8, 4u8, 48u8, 31u8, 6u8, 6u8, 103u8, 129u8, 5u8, 5u8, + 4u8, 4u8, 4u8, 21u8, 48u8, 19u8, 4u8, 17u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + ]; + pub fn new(params: &InitDevIdCsrTbsMlDsa87Params) -> Self { + let mut template = Self { + tbs: [0; Self::TBS_TEMPLATE_LEN], + }; + template.tbs[..Self::PUBLIC_KEY_OFFSET].copy_from_slice(&Self::TBS_TEMPLATE_PART_1); + template.tbs[Self::PUBLIC_KEY_OFFSET + Self::PUBLIC_KEY_LEN..] + .copy_from_slice(&Self::TBS_TEMPLATE_PART_2); + template.apply(params); + template + } + pub fn sign( + &self, + sign_fn: impl Fn(&[u8]) -> Result, + ) -> Result { + sign_fn(&self.tbs) + } + pub fn tbs(&self) -> &[u8] { + &self.tbs + } + fn apply(&mut self, params: &InitDevIdCsrTbsMlDsa87Params) { + #[inline(always)] + fn apply_slice( + buf: &mut [u8; 2818usize], + val: &[u8; LEN], + ) { + buf[OFFSET..OFFSET + LEN].copy_from_slice(val); + } + apply_slice::<{ Self::UEID_OFFSET }, { Self::UEID_LEN }>(&mut self.tbs, params.ueid); + apply_slice::<{ Self::PUBLIC_KEY_OFFSET }, { Self::PUBLIC_KEY_LEN }>( + &mut self.tbs, + params.public_key, + ); + apply_slice::<{ Self::SUBJECT_SN_OFFSET }, { Self::SUBJECT_SN_LEN }>( + &mut self.tbs, + params.subject_sn, + ); + } +} diff --git a/x509/build/local_dev_id_cert_tbs.rs b/x509/build/local_dev_id_cert_tbs_ecc_384.rs similarity index 96% rename from x509/build/local_dev_id_cert_tbs.rs rename to x509/build/local_dev_id_cert_tbs_ecc_384.rs index adb180a84c..cb4622260c 100644 --- a/x509/build/local_dev_id_cert_tbs.rs +++ b/x509/build/local_dev_id_cert_tbs_ecc_384.rs @@ -7,7 +7,7 @@ Abstract: Regenerate the template by building caliptra-x509-build with the generate-templates flag. --"] -pub struct LocalDevIdCertTbsParams<'a> { +pub struct LocalDevIdCertTbsEcc384Params<'a> { pub public_key: &'a [u8; 97usize], pub subject_sn: &'a [u8; 64usize], pub issuer_sn: &'a [u8; 64usize], @@ -18,7 +18,7 @@ pub struct LocalDevIdCertTbsParams<'a> { pub not_before: &'a [u8; 15usize], pub not_after: &'a [u8; 15usize], } -impl<'a> LocalDevIdCertTbsParams<'a> { +impl<'a> LocalDevIdCertTbsEcc384Params<'a> { pub const PUBLIC_KEY_LEN: usize = 97usize; pub const SUBJECT_SN_LEN: usize = 64usize; pub const ISSUER_SN_LEN: usize = 64usize; @@ -29,10 +29,10 @@ impl<'a> LocalDevIdCertTbsParams<'a> { pub const NOT_BEFORE_LEN: usize = 15usize; pub const NOT_AFTER_LEN: usize = 15usize; } -pub struct LocalDevIdCertTbs { +pub struct LocalDevIdCertTbsEcc384 { tbs: [u8; Self::TBS_TEMPLATE_LEN], } -impl LocalDevIdCertTbs { +impl LocalDevIdCertTbsEcc384 { const PUBLIC_KEY_OFFSET: usize = 316usize; const SUBJECT_SN_OFFSET: usize = 229usize; const ISSUER_SN_OFFSET: usize = 86usize; @@ -91,7 +91,7 @@ impl LocalDevIdCertTbs { 128u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, ]; - pub fn new(params: &LocalDevIdCertTbsParams) -> Self { + pub fn new(params: &LocalDevIdCertTbsEcc384Params) -> Self { let mut template = Self { tbs: Self::TBS_TEMPLATE, }; @@ -107,7 +107,7 @@ impl LocalDevIdCertTbs { pub fn tbs(&self) -> &[u8] { &self.tbs } - fn apply(&mut self, params: &LocalDevIdCertTbsParams) { + fn apply(&mut self, params: &LocalDevIdCertTbsEcc384Params) { #[inline(always)] fn apply_slice( buf: &mut [u8; 552usize], diff --git a/x509/build/local_dev_id_cert_tbs_mldsa_87.rs b/x509/build/local_dev_id_cert_tbs_mldsa_87.rs new file mode 100644 index 0000000000..a18a5fbc73 --- /dev/null +++ b/x509/build/local_dev_id_cert_tbs_mldsa_87.rs @@ -0,0 +1,156 @@ +#[doc = "++ + +Licensed under the Apache-2.0 license. + +Abstract: + + Regenerate the template by building caliptra-x509-build with the generate-templates flag. + +--"] + +// TODO generate when x509 libraries support MLDSA + +#[allow(dead_code)] +pub struct LocalDevIdCertTbsMlDsa87Params<'a> { + pub public_key: &'a [u8; 97usize], + pub subject_sn: &'a [u8; 64usize], + pub issuer_sn: &'a [u8; 64usize], + pub serial_number: &'a [u8; 20usize], + pub subject_key_id: &'a [u8; 20usize], + pub authority_key_id: &'a [u8; 20usize], + pub ueid: &'a [u8; 17usize], + pub not_before: &'a [u8; 15usize], + pub not_after: &'a [u8; 15usize], +} +#[allow(dead_code)] +impl<'a> LocalDevIdCertTbsMlDsa87Params<'a> { + pub const PUBLIC_KEY_LEN: usize = 97usize; + pub const SUBJECT_SN_LEN: usize = 64usize; + pub const ISSUER_SN_LEN: usize = 64usize; + pub const SERIAL_NUMBER_LEN: usize = 20usize; + pub const SUBJECT_KEY_ID_LEN: usize = 20usize; + pub const AUTHORITY_KEY_ID_LEN: usize = 20usize; + pub const UEID_LEN: usize = 17usize; + pub const NOT_BEFORE_LEN: usize = 15usize; + pub const NOT_AFTER_LEN: usize = 15usize; +} +pub struct LocalDevIdCertTbsMlDsa87 { + tbs: [u8; Self::TBS_TEMPLATE_LEN], +} +#[allow(dead_code)] +impl LocalDevIdCertTbsMlDsa87 { + const PUBLIC_KEY_OFFSET: usize = 317usize; + const SUBJECT_SN_OFFSET: usize = 229usize; + const ISSUER_SN_OFFSET: usize = 86usize; + const SERIAL_NUMBER_OFFSET: usize = 11usize; + const SUBJECT_KEY_ID_OFFSET: usize = 2995usize; + const AUTHORITY_KEY_ID_OFFSET: usize = 3028usize; + const UEID_OFFSET: usize = 2967usize; + const NOT_BEFORE_OFFSET: usize = 154usize; + const NOT_AFTER_OFFSET: usize = 171usize; + const PUBLIC_KEY_LEN: usize = 97usize; + const SUBJECT_SN_LEN: usize = 64usize; + const ISSUER_SN_LEN: usize = 64usize; + const SERIAL_NUMBER_LEN: usize = 20usize; + const SUBJECT_KEY_ID_LEN: usize = 20usize; + const AUTHORITY_KEY_ID_LEN: usize = 20usize; + const UEID_LEN: usize = 17usize; + const NOT_BEFORE_LEN: usize = 15usize; + const NOT_AFTER_LEN: usize = 15usize; + pub const TBS_TEMPLATE_LEN: usize = 3048usize; + const TBS_TEMPLATE_PART_1: [u8; 317] = [ + 48u8, 130u8, 2u8, 36u8, 160u8, 3u8, 2u8, 1u8, 2u8, 2u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 48u8, 10u8, 6u8, 8u8, 42u8, 134u8, 72u8, 206u8, 61u8, 4u8, 3u8, 3u8, 48u8, 105u8, 49u8, + 28u8, 48u8, 26u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 19u8, 67u8, 97u8, 108u8, 105u8, 112u8, + 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, 48u8, 32u8, 73u8, 68u8, 101u8, 118u8, 73u8, 68u8, + 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, + 34u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 105u8, 49u8, 28u8, 48u8, 26u8, 6u8, 3u8, 85u8, 4u8, + 3u8, 12u8, 19u8, 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, + 48u8, 32u8, 76u8, 68u8, 101u8, 118u8, 73u8, 68u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, + 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 118u8, 48u8, 16u8, 6u8, 7u8, 42u8, + 134u8, 72u8, 206u8, 61u8, 2u8, 1u8, 6u8, 5u8, 43u8, 129u8, 4u8, 0u8, 34u8, 4u8, 130u8, 10u8, 32u8]; + + const TBS_TEMPLATE_PART_2: [u8; 139] = [ + 163u8, 129u8, 136u8, 48u8, 129u8, 133u8, 48u8, + 18u8, 6u8, 3u8, 85u8, 29u8, 19u8, 1u8, 1u8, 255u8, 4u8, 8u8, 48u8, 6u8, 1u8, 1u8, 255u8, + 2u8, 1u8, 4u8, 48u8, 14u8, 6u8, 3u8, 85u8, 29u8, 15u8, 1u8, 1u8, 255u8, 4u8, 4u8, 3u8, 2u8, + 2u8, 4u8, 48u8, 31u8, 6u8, 6u8, 103u8, 129u8, 5u8, 5u8, 4u8, 4u8, 4u8, 21u8, 48u8, 19u8, + 4u8, 17u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 48u8, 29u8, 6u8, 3u8, 85u8, 29u8, 14u8, 4u8, 22u8, 4u8, 20u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 48u8, 31u8, 6u8, 3u8, 85u8, 29u8, 35u8, 4u8, 24u8, 48u8, 22u8, + 128u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + ]; + pub fn new(params: &LocalDevIdCertTbsMlDsa87Params) -> Self { + let mut template = Self { + tbs: [0; Self::TBS_TEMPLATE_LEN], + }; + template.tbs[..Self::PUBLIC_KEY_OFFSET].copy_from_slice(&Self::TBS_TEMPLATE_PART_1); + template.tbs[Self::PUBLIC_KEY_OFFSET + Self::PUBLIC_KEY_LEN..].copy_from_slice(&Self::TBS_TEMPLATE_PART_2); + template.apply(params); + template + } + pub fn sign( + &self, + sign_fn: impl Fn(&[u8]) -> Result, + ) -> Result { + sign_fn(&self.tbs) + } + pub fn tbs(&self) -> &[u8] { + &self.tbs + } + fn apply(&mut self, params: &LocalDevIdCertTbsMlDsa87Params) { + #[inline(always)] + fn apply_slice( + buf: &mut [u8; 3048usize], + val: &[u8; LEN], + ) { + buf[OFFSET..OFFSET + LEN].copy_from_slice(val); + } + apply_slice::<{ Self::PUBLIC_KEY_OFFSET }, { Self::PUBLIC_KEY_LEN }>( + &mut self.tbs, + params.public_key, + ); + apply_slice::<{ Self::SUBJECT_SN_OFFSET }, { Self::SUBJECT_SN_LEN }>( + &mut self.tbs, + params.subject_sn, + ); + apply_slice::<{ Self::ISSUER_SN_OFFSET }, { Self::ISSUER_SN_LEN }>( + &mut self.tbs, + params.issuer_sn, + ); + apply_slice::<{ Self::SERIAL_NUMBER_OFFSET }, { Self::SERIAL_NUMBER_LEN }>( + &mut self.tbs, + params.serial_number, + ); + apply_slice::<{ Self::SUBJECT_KEY_ID_OFFSET }, { Self::SUBJECT_KEY_ID_LEN }>( + &mut self.tbs, + params.subject_key_id, + ); + apply_slice::<{ Self::AUTHORITY_KEY_ID_OFFSET }, { Self::AUTHORITY_KEY_ID_LEN }>( + &mut self.tbs, + params.authority_key_id, + ); + apply_slice::<{ Self::UEID_OFFSET }, { Self::UEID_LEN }>(&mut self.tbs, params.ueid); + apply_slice::<{ Self::NOT_BEFORE_OFFSET }, { Self::NOT_BEFORE_LEN }>( + &mut self.tbs, + params.not_before, + ); + apply_slice::<{ Self::NOT_AFTER_OFFSET }, { Self::NOT_AFTER_LEN }>( + &mut self.tbs, + params.not_after, + ); + } +} diff --git a/x509/build/rt_alias_cert_tbs.rs b/x509/build/rt_alias_cert_tbs_ecc_384.rs similarity index 96% rename from x509/build/rt_alias_cert_tbs.rs rename to x509/build/rt_alias_cert_tbs_ecc_384.rs index fb13855784..dc282e73f8 100644 --- a/x509/build/rt_alias_cert_tbs.rs +++ b/x509/build/rt_alias_cert_tbs_ecc_384.rs @@ -7,7 +7,7 @@ Abstract: Regenerate the template by building caliptra-x509-build with the generate-templates flag. --"] -pub struct RtAliasCertTbsParams<'a> { +pub struct RtAliasCertTbsEcc384Params<'a> { pub public_key: &'a [u8; 97usize], pub subject_sn: &'a [u8; 64usize], pub issuer_sn: &'a [u8; 64usize], @@ -20,7 +20,7 @@ pub struct RtAliasCertTbsParams<'a> { pub not_after: &'a [u8; 15usize], pub tcb_info_rt_svn: &'a [u8; 1usize], } -impl<'a> RtAliasCertTbsParams<'a> { +impl<'a> RtAliasCertTbsEcc384Params<'a> { pub const PUBLIC_KEY_LEN: usize = 97usize; pub const SUBJECT_SN_LEN: usize = 64usize; pub const ISSUER_SN_LEN: usize = 64usize; @@ -33,10 +33,10 @@ impl<'a> RtAliasCertTbsParams<'a> { pub const NOT_AFTER_LEN: usize = 15usize; pub const TCB_INFO_RT_SVN_LEN: usize = 1usize; } -pub struct RtAliasCertTbs { +pub struct RtAliasCertTbsEcc384 { tbs: [u8; Self::TBS_TEMPLATE_LEN], } -impl RtAliasCertTbs { +impl RtAliasCertTbsEcc384 { const PUBLIC_KEY_OFFSET: usize = 321usize; const SUBJECT_SN_OFFSET: usize = 234usize; const ISSUER_SN_OFFSET: usize = 89usize; @@ -106,7 +106,7 @@ impl RtAliasCertTbs { 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, ]; - pub fn new(params: &RtAliasCertTbsParams) -> Self { + pub fn new(params: &RtAliasCertTbsEcc384Params) -> Self { let mut template = Self { tbs: Self::TBS_TEMPLATE, }; @@ -122,7 +122,7 @@ impl RtAliasCertTbs { pub fn tbs(&self) -> &[u8] { &self.tbs } - fn apply(&mut self, params: &RtAliasCertTbsParams) { + fn apply(&mut self, params: &RtAliasCertTbsEcc384Params) { #[inline(always)] fn apply_slice( buf: &mut [u8; 649usize], diff --git a/x509/build/rt_alias_cert_tbs_mldsa_87.rs b/x509/build/rt_alias_cert_tbs_mldsa_87.rs new file mode 100644 index 0000000000..bf944e0fc2 --- /dev/null +++ b/x509/build/rt_alias_cert_tbs_mldsa_87.rs @@ -0,0 +1,182 @@ +#[doc = "++ + +Licensed under the Apache-2.0 license. + +Abstract: + + Regenerate the template by building caliptra-x509-build with the generate-templates flag. + +--"] + +// TODO generate when x509 libraries support MLDSA + +#[allow(dead_code)] +pub struct RtAliasCertTbsMlDsa87Params<'a> { + pub public_key: &'a [u8; 2592usize], + pub subject_sn: &'a [u8; 64usize], + pub issuer_sn: &'a [u8; 64usize], + pub tcb_info_rt_tci: &'a [u8; 48usize], + pub serial_number: &'a [u8; 20usize], + pub subject_key_id: &'a [u8; 20usize], + pub authority_key_id: &'a [u8; 20usize], + pub ueid: &'a [u8; 17usize], + pub not_before: &'a [u8; 15usize], + pub not_after: &'a [u8; 15usize], + pub tcb_info_rt_svn: &'a [u8; 1usize], +} +#[allow(dead_code)] +impl<'a> RtAliasCertTbsMlDsa87Params<'a> { + pub const PUBLIC_KEY_LEN: usize = 2592usize; + pub const SUBJECT_SN_LEN: usize = 64usize; + pub const ISSUER_SN_LEN: usize = 64usize; + pub const TCB_INFO_RT_TCI_LEN: usize = 48usize; + pub const SERIAL_NUMBER_LEN: usize = 20usize; + pub const SUBJECT_KEY_ID_LEN: usize = 20usize; + pub const AUTHORITY_KEY_ID_LEN: usize = 20usize; + pub const UEID_LEN: usize = 17usize; + pub const NOT_BEFORE_LEN: usize = 15usize; + pub const NOT_AFTER_LEN: usize = 15usize; + pub const TCB_INFO_RT_SVN_LEN: usize = 1usize; +} +#[allow(dead_code)] +pub struct RtAliasCertTbsMlDsa87 { + tbs: [u8; Self::TBS_TEMPLATE_LEN], +} +#[allow(dead_code)] +impl RtAliasCertTbsMlDsa87 { + const PUBLIC_KEY_OFFSET: usize = 322usize; + const SUBJECT_SN_OFFSET: usize = 234usize; + const ISSUER_SN_OFFSET: usize = 89usize; + const TCB_INFO_RT_TCI_OFFSET: usize = 3024usize; + const SERIAL_NUMBER_OFFSET: usize = 11usize; + const SUBJECT_KEY_ID_OFFSET: usize = 3092usize; + const AUTHORITY_KEY_ID_OFFSET: usize = 3125usize; + const UEID_OFFSET: usize = 2972usize; + const NOT_BEFORE_OFFSET: usize = 157usize; + const NOT_AFTER_OFFSET: usize = 174usize; + const TCB_INFO_RT_SVN_OFFSET: usize = 3006usize; + const PUBLIC_KEY_LEN: usize = 2592usize; + const SUBJECT_SN_LEN: usize = 64usize; + const ISSUER_SN_LEN: usize = 64usize; + const TCB_INFO_RT_TCI_LEN: usize = 48usize; + const SERIAL_NUMBER_LEN: usize = 20usize; + const SUBJECT_KEY_ID_LEN: usize = 20usize; + const AUTHORITY_KEY_ID_LEN: usize = 20usize; + const UEID_LEN: usize = 17usize; + const NOT_BEFORE_LEN: usize = 15usize; + const NOT_AFTER_LEN: usize = 15usize; + const TCB_INFO_RT_SVN_LEN: usize = 1usize; + pub const TBS_TEMPLATE_LEN: usize = 3145usize; + const TBS_TEMPLATE_PART_1: [u8; 322] = [ + 48u8, 130u8, 2u8, 133u8, 160u8, 3u8, 2u8, 1u8, 2u8, 2u8, 20u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 48u8, 10u8, 6u8, 8u8, 42u8, 134u8, 72u8, 206u8, 61u8, 4u8, 3u8, 3u8, 48u8, 108u8, + 49u8, 31u8, 48u8, 29u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 22u8, 67u8, 97u8, 108u8, 105u8, + 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, 48u8, 32u8, 70u8, 77u8, 67u8, 32u8, 65u8, + 108u8, 105u8, 97u8, 115u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 48u8, 34u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 107u8, 49u8, 30u8, 48u8, + 28u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 21u8, 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, + 97u8, 32u8, 49u8, 46u8, 48u8, 32u8, 82u8, 116u8, 32u8, 65u8, 108u8, 105u8, 97u8, 115u8, + 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, + 118u8, 48u8, 16u8, 6u8, 7u8, 42u8, 134u8, 72u8, 206u8, 61u8, 2u8, 1u8, 6u8, 5u8, 43u8, + 129u8, 4u8, 0u8, 34u8, 4u8, 130u8, 10u8, 32u8]; + + const TBS_TEMPLATE_PART_2: [u8; 231] = [ + 163u8, + 129u8, 228u8, 48u8, 129u8, 225u8, 48u8, 18u8, 6u8, 3u8, 85u8, 29u8, 19u8, 1u8, 1u8, 255u8, + 4u8, 8u8, 48u8, 6u8, 1u8, 1u8, 255u8, 2u8, 1u8, 2u8, 48u8, 14u8, 6u8, 3u8, 85u8, 29u8, + 15u8, 1u8, 1u8, 255u8, 4u8, 4u8, 3u8, 2u8, 2u8, 132u8, 48u8, 31u8, 6u8, 6u8, 103u8, 129u8, + 5u8, 5u8, 4u8, 4u8, 4u8, 21u8, 48u8, 19u8, 4u8, 17u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 90u8, 6u8, 6u8, + 103u8, 129u8, 5u8, 5u8, 4u8, 1u8, 4u8, 80u8, 48u8, 78u8, 131u8, 2u8, 1u8, 95u8, 166u8, + 63u8, 48u8, 61u8, 6u8, 9u8, 96u8, 134u8, 72u8, 1u8, 101u8, 3u8, 4u8, 2u8, 2u8, 4u8, 48u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 137u8, 7u8, 82u8, 84u8, 95u8, 73u8, 78u8, 70u8, 79u8, 48u8, 29u8, 6u8, + 3u8, 85u8, 29u8, 14u8, 4u8, 22u8, 4u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 31u8, + 6u8, 3u8, 85u8, 29u8, 35u8, 4u8, 24u8, 48u8, 22u8, 128u8, 20u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, + ]; + pub fn new(params: &RtAliasCertTbsMlDsa87Params) -> Self { + let mut template = Self { + tbs: [0; Self::TBS_TEMPLATE_LEN], + }; + template.tbs[..Self::PUBLIC_KEY_OFFSET].copy_from_slice(&Self::TBS_TEMPLATE_PART_1); + template.tbs[Self::PUBLIC_KEY_OFFSET + Self::PUBLIC_KEY_LEN..].copy_from_slice(&Self::TBS_TEMPLATE_PART_2); + + template.apply(params); + template + } + pub fn sign( + &self, + sign_fn: impl Fn(&[u8]) -> Result, + ) -> Result { + sign_fn(&self.tbs) + } + pub fn tbs(&self) -> &[u8] { + &self.tbs + } + fn apply(&mut self, params: &RtAliasCertTbsMlDsa87Params) { + #[inline(always)] + fn apply_slice( + buf: &mut [u8; 3145usize], + val: &[u8; LEN], + ) { + buf[OFFSET..OFFSET + LEN].copy_from_slice(val); + } + apply_slice::<{ Self::PUBLIC_KEY_OFFSET }, { Self::PUBLIC_KEY_LEN }>( + &mut self.tbs, + params.public_key, + ); + apply_slice::<{ Self::SUBJECT_SN_OFFSET }, { Self::SUBJECT_SN_LEN }>( + &mut self.tbs, + params.subject_sn, + ); + apply_slice::<{ Self::ISSUER_SN_OFFSET }, { Self::ISSUER_SN_LEN }>( + &mut self.tbs, + params.issuer_sn, + ); + apply_slice::<{ Self::TCB_INFO_RT_TCI_OFFSET }, { Self::TCB_INFO_RT_TCI_LEN }>( + &mut self.tbs, + params.tcb_info_rt_tci, + ); + apply_slice::<{ Self::SERIAL_NUMBER_OFFSET }, { Self::SERIAL_NUMBER_LEN }>( + &mut self.tbs, + params.serial_number, + ); + apply_slice::<{ Self::SUBJECT_KEY_ID_OFFSET }, { Self::SUBJECT_KEY_ID_LEN }>( + &mut self.tbs, + params.subject_key_id, + ); + apply_slice::<{ Self::AUTHORITY_KEY_ID_OFFSET }, { Self::AUTHORITY_KEY_ID_LEN }>( + &mut self.tbs, + params.authority_key_id, + ); + apply_slice::<{ Self::UEID_OFFSET }, { Self::UEID_LEN }>(&mut self.tbs, params.ueid); + apply_slice::<{ Self::NOT_BEFORE_OFFSET }, { Self::NOT_BEFORE_LEN }>( + &mut self.tbs, + params.not_before, + ); + apply_slice::<{ Self::NOT_AFTER_OFFSET }, { Self::NOT_AFTER_LEN }>( + &mut self.tbs, + params.not_after, + ); + apply_slice::<{ Self::TCB_INFO_RT_SVN_OFFSET }, { Self::TCB_INFO_RT_SVN_LEN }>( + &mut self.tbs, + params.tcb_info_rt_svn, + ); + } +} diff --git a/x509/src/cert_bldr.rs b/x509/src/cert_bldr.rs index f8388d0a5e..52759c50bc 100644 --- a/x509/src/cert_bldr.rs +++ b/x509/src/cert_bldr.rs @@ -113,8 +113,8 @@ impl Default for Mldsa87Signature { } } -impl Signature<4635> for Mldsa87Signature { - fn to_der(&self, buf: &mut [u8; 4635]) -> Option { +impl Signature<4641> for Mldsa87Signature { + fn to_der(&self, buf: &mut [u8; 4641]) -> Option { let ml_dsa_signature_len = der_uint_len(&self.sig)?; // @@ -145,10 +145,7 @@ impl Signature<4635> for Mldsa87Signature { } fn oid_der() -> &'static [u8] { - // TODO this is wrong and just copied from ECC - &[ - 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, - ] + &[0x06, 0x08, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03] } } @@ -236,7 +233,7 @@ impl<'a, S: Signature, const MAX_DER_SIZE: usize> CertBuilder<'a, fn compute_len(tbs_len: usize, sig_der_len: usize, oid_len: usize) -> Option { let len = tbs_len + oid_len + sig_der_len; - // Max Cert or CSR size is 4096 bytes + // Max Cert or CSR size is 0xffff bytes let len_bytes = match len { 0..=0x7f => 1_usize, 0x80..=0xff => 2, @@ -258,5 +255,5 @@ pub type Ecdsa384CertBuilder<'a> = CertBuilder<'a, Ecdsa384Signature, 108>; pub type Ecdsa384CsrBuilder<'a> = Ecdsa384CertBuilder<'a>; // Type alias for Ml-Dsa87 Certificate Builder -pub type MlDsa87CertBuilder<'a> = CertBuilder<'a, Mldsa87Signature, 4627>; +pub type MlDsa87CertBuilder<'a> = CertBuilder<'a, Mldsa87Signature, 4641>; pub type MlDsa87CsrBuilder<'a> = MlDsa87CertBuilder<'a>; diff --git a/x509/src/fmc_alias_cert.rs b/x509/src/fmc_alias_cert_ecc_384.rs similarity index 66% rename from x509/src/fmc_alias_cert.rs rename to x509/src/fmc_alias_cert_ecc_384.rs index 417f33cba5..41b3fb5dc1 100644 --- a/x509/src/fmc_alias_cert.rs +++ b/x509/src/fmc_alias_cert_ecc_384.rs @@ -4,19 +4,19 @@ Licensed under the Apache-2.0 license. File Name: - fmc_alias_cert.rs + fmc_alias_cert_ecc_384.rs Abstract: - FMC Alias Certificate related code. + ECC384 FMC Alias Certificate related code. --*/ // Note: All the necessary code is auto generated #[cfg(feature = "generate_templates")] -include!(concat!(env!("OUT_DIR"), "/fmc_alias_cert_tbs.rs")); +include!(concat!(env!("OUT_DIR"), "/fmc_alias_cert_tbs_ecc_384.rs")); #[cfg(not(feature = "generate_templates"))] -include! {"../build/fmc_alias_cert_tbs.rs"} +include! {"../build/fmc_alias_cert_tbs_ecc_384.rs"} #[cfg(all(test, target_family = "unix"))] mod tests { @@ -35,16 +35,19 @@ mod tests { use x509_parser::x509::X509Version; const TEST_DEVICE_INFO_HASH: &[u8] = - &[0xCDu8; FmcAliasCertTbsParams::TCB_INFO_DEVICE_INFO_HASH_LEN]; - const TEST_FMC_HASH: &[u8] = &[0xEFu8; FmcAliasCertTbsParams::TCB_INFO_FMC_TCI_LEN]; - const TEST_UEID: &[u8] = &[0xABu8; FmcAliasCertTbsParams::UEID_LEN]; + &[0xCDu8; FmcAliasCertTbsEcc384Params::TCB_INFO_DEVICE_INFO_HASH_LEN]; + const TEST_FMC_HASH: &[u8] = &[0xEFu8; FmcAliasCertTbsEcc384Params::TCB_INFO_FMC_TCI_LEN]; + const TEST_UEID: &[u8] = &[0xABu8; FmcAliasCertTbsEcc384Params::UEID_LEN]; const TEST_TCB_INFO_FLAGS: &[u8] = &[0xB0, 0xB1, 0xB2, 0xB3]; const TEST_TCB_INFO_FMC_SVN: &[u8] = &[0xB7]; const TEST_TCB_INFO_FMC_SVN_FUSES: &[u8] = &[0xB8]; - fn make_test_cert(subject_key: &Ecc384AsymKey, issuer_key: &Ecc384AsymKey) -> FmcAliasCertTbs { - let params = FmcAliasCertTbsParams { - serial_number: &[0xABu8; FmcAliasCertTbsParams::SERIAL_NUMBER_LEN], + fn make_test_cert( + subject_key: &Ecc384AsymKey, + issuer_key: &Ecc384AsymKey, + ) -> FmcAliasCertTbsEcc384 { + let params = FmcAliasCertTbsEcc384Params { + serial_number: &[0xABu8; FmcAliasCertTbsEcc384Params::SERIAL_NUMBER_LEN], public_key: &subject_key.pub_key().try_into().unwrap(), subject_sn: &subject_key .hex_str() @@ -70,7 +73,7 @@ mod tests { not_after: &NotAfter::default().value, }; - FmcAliasCertTbs::new(¶ms) + FmcAliasCertTbsEcc384::new(¶ms) } #[test] @@ -88,62 +91,67 @@ mod tests { }) .unwrap(); - assert_ne!(cert.tbs(), FmcAliasCertTbs::TBS_TEMPLATE); + assert_ne!(cert.tbs(), FmcAliasCertTbsEcc384::TBS_TEMPLATE); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::PUBLIC_KEY_OFFSET - ..FmcAliasCertTbs::PUBLIC_KEY_OFFSET + FmcAliasCertTbs::PUBLIC_KEY_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::PUBLIC_KEY_OFFSET + ..FmcAliasCertTbsEcc384::PUBLIC_KEY_OFFSET + FmcAliasCertTbsEcc384::PUBLIC_KEY_LEN], subject_key.pub_key(), ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::SUBJECT_SN_OFFSET - ..FmcAliasCertTbs::SUBJECT_SN_OFFSET + FmcAliasCertTbs::SUBJECT_SN_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::SUBJECT_SN_OFFSET + ..FmcAliasCertTbsEcc384::SUBJECT_SN_OFFSET + FmcAliasCertTbsEcc384::SUBJECT_SN_LEN], subject_key.hex_str().into_bytes(), ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::ISSUER_SN_OFFSET - ..FmcAliasCertTbs::ISSUER_SN_OFFSET + FmcAliasCertTbs::ISSUER_SN_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::ISSUER_SN_OFFSET + ..FmcAliasCertTbsEcc384::ISSUER_SN_OFFSET + FmcAliasCertTbsEcc384::ISSUER_SN_LEN], issuer_key.hex_str().into_bytes(), ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::UEID_OFFSET - ..FmcAliasCertTbs::UEID_OFFSET + FmcAliasCertTbs::UEID_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::UEID_OFFSET + ..FmcAliasCertTbsEcc384::UEID_OFFSET + FmcAliasCertTbsEcc384::UEID_LEN], TEST_UEID, ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::SUBJECT_KEY_ID_OFFSET - ..FmcAliasCertTbs::SUBJECT_KEY_ID_OFFSET + FmcAliasCertTbs::SUBJECT_KEY_ID_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::SUBJECT_KEY_ID_OFFSET + ..FmcAliasCertTbsEcc384::SUBJECT_KEY_ID_OFFSET + + FmcAliasCertTbsEcc384::SUBJECT_KEY_ID_LEN], subject_key.sha1(), ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::AUTHORITY_KEY_ID_OFFSET - ..FmcAliasCertTbs::AUTHORITY_KEY_ID_OFFSET + FmcAliasCertTbs::AUTHORITY_KEY_ID_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::AUTHORITY_KEY_ID_OFFSET + ..FmcAliasCertTbsEcc384::AUTHORITY_KEY_ID_OFFSET + + FmcAliasCertTbsEcc384::AUTHORITY_KEY_ID_LEN], issuer_key.sha1(), ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::TCB_INFO_FLAGS_OFFSET - ..FmcAliasCertTbs::TCB_INFO_FLAGS_OFFSET + FmcAliasCertTbs::TCB_INFO_FLAGS_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::TCB_INFO_FLAGS_OFFSET + ..FmcAliasCertTbsEcc384::TCB_INFO_FLAGS_OFFSET + + FmcAliasCertTbsEcc384::TCB_INFO_FLAGS_LEN], TEST_TCB_INFO_FLAGS, ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::TCB_INFO_DEVICE_INFO_HASH_OFFSET - ..FmcAliasCertTbs::TCB_INFO_DEVICE_INFO_HASH_OFFSET - + FmcAliasCertTbs::TCB_INFO_DEVICE_INFO_HASH_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::TCB_INFO_DEVICE_INFO_HASH_OFFSET + ..FmcAliasCertTbsEcc384::TCB_INFO_DEVICE_INFO_HASH_OFFSET + + FmcAliasCertTbsEcc384::TCB_INFO_DEVICE_INFO_HASH_LEN], TEST_DEVICE_INFO_HASH, ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::TCB_INFO_FMC_TCI_OFFSET - ..FmcAliasCertTbs::TCB_INFO_FMC_TCI_OFFSET + FmcAliasCertTbs::TCB_INFO_FMC_TCI_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::TCB_INFO_FMC_TCI_OFFSET + ..FmcAliasCertTbsEcc384::TCB_INFO_FMC_TCI_OFFSET + + FmcAliasCertTbsEcc384::TCB_INFO_FMC_TCI_LEN], TEST_FMC_HASH, ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::TCB_INFO_FMC_SVN_OFFSET - ..FmcAliasCertTbs::TCB_INFO_FMC_SVN_OFFSET + FmcAliasCertTbs::TCB_INFO_FMC_SVN_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::TCB_INFO_FMC_SVN_OFFSET + ..FmcAliasCertTbsEcc384::TCB_INFO_FMC_SVN_OFFSET + + FmcAliasCertTbsEcc384::TCB_INFO_FMC_SVN_LEN], TEST_TCB_INFO_FMC_SVN, ); assert_eq!( - &cert.tbs()[FmcAliasCertTbs::TCB_INFO_FMC_SVN_FUSES_OFFSET - ..FmcAliasCertTbs::TCB_INFO_FMC_SVN_FUSES_OFFSET - + FmcAliasCertTbs::TCB_INFO_FMC_SVN_FUSES_LEN], + &cert.tbs()[FmcAliasCertTbsEcc384::TCB_INFO_FMC_SVN_FUSES_OFFSET + ..FmcAliasCertTbsEcc384::TCB_INFO_FMC_SVN_FUSES_OFFSET + + FmcAliasCertTbsEcc384::TCB_INFO_FMC_SVN_FUSES_LEN], TEST_TCB_INFO_FMC_SVN_FUSES, ); @@ -213,11 +221,13 @@ mod tests { #[test] #[cfg(feature = "generate_templates")] fn test_fmc_alias_template() { - let manual_template = - std::fs::read(std::path::Path::new("./build/fmc_alias_cert_tbs.rs")).unwrap(); + let manual_template = std::fs::read(std::path::Path::new( + "./build/fmc_alias_cert_tbs_ecc_384.rs", + )) + .unwrap(); let auto_generated_template = std::fs::read(std::path::Path::new(concat!( env!("OUT_DIR"), - "/fmc_alias_cert_tbs.rs" + "/fmc_alias_cert_tbs_ecc_384.rs" ))) .unwrap(); if auto_generated_template != manual_template { diff --git a/x509/src/fmc_alias_cert_mldsa_87.rs b/x509/src/fmc_alias_cert_mldsa_87.rs new file mode 100644 index 0000000000..0a8478822e --- /dev/null +++ b/x509/src/fmc_alias_cert_mldsa_87.rs @@ -0,0 +1,15 @@ +/*++ + +Licensed under the Apache-2.0 license. + +File Name: + + fmc_alias_cert.rs + +Abstract: + + ECC384 FMC Alias Certificate related code. + +--*/ + +include! {"../build/fmc_alias_cert_tbs_mldsa_87.rs"} diff --git a/x509/src/idevid_csr.rs b/x509/src/idevid_csr_ecc_384.rs similarity index 81% rename from x509/src/idevid_csr.rs rename to x509/src/idevid_csr_ecc_384.rs index dada0e8c8e..0f42efb5e5 100644 --- a/x509/src/idevid_csr.rs +++ b/x509/src/idevid_csr_ecc_384.rs @@ -8,15 +8,15 @@ File Name: Abstract: - Initial Device ID Certificate Signing Request related code. + ECC384 Initial Device ID Certificate Signing Request related code. --*/ // Note: All the necessary code is auto generated #[cfg(feature = "generate_templates")] -include!(concat!(env!("OUT_DIR"), "/init_dev_id_csr_tbs.rs")); +include!(concat!(env!("OUT_DIR"), "/init_dev_id_csr_tbs_ecc_384.rs")); #[cfg(not(feature = "generate_templates"))] -include! {"../build/init_dev_id_csr_tbs.rs"} +include! {"../build/init_dev_id_csr_tbs_ecc_384.rs"} #[cfg(all(test, target_family = "unix"))] mod tests { @@ -32,16 +32,16 @@ mod tests { use crate::test_util::tests::*; use crate::{Ecdsa384CsrBuilder, Ecdsa384Signature}; - const TEST_UEID: &[u8] = &[0xAB; InitDevIdCsrTbs::UEID_LEN]; + const TEST_UEID: &[u8] = &[0xAB; InitDevIdCsrTbsEcc384::UEID_LEN]; - fn make_test_csr(subject_key: &Ecc384AsymKey) -> InitDevIdCsrTbs { - let params = InitDevIdCsrTbsParams { + fn make_test_csr(subject_key: &Ecc384AsymKey) -> InitDevIdCsrTbsEcc384 { + let params = InitDevIdCsrTbsEcc384Params { public_key: &subject_key.pub_key().try_into().unwrap(), subject_sn: &subject_key.hex_str().into_bytes().try_into().unwrap(), ueid: &TEST_UEID.try_into().unwrap(), }; - InitDevIdCsrTbs::new(¶ms) + InitDevIdCsrTbsEcc384::new(¶ms) } #[test] @@ -58,20 +58,20 @@ mod tests { }) .unwrap(); - assert_ne!(csr.tbs(), InitDevIdCsrTbs::TBS_TEMPLATE); + assert_ne!(csr.tbs(), InitDevIdCsrTbsEcc384::TBS_TEMPLATE); assert_eq!( - &csr.tbs()[InitDevIdCsrTbs::PUBLIC_KEY_OFFSET - ..InitDevIdCsrTbs::PUBLIC_KEY_OFFSET + InitDevIdCsrTbs::PUBLIC_KEY_LEN], + &csr.tbs()[InitDevIdCsrTbsEcc384::PUBLIC_KEY_OFFSET + ..InitDevIdCsrTbsEcc384::PUBLIC_KEY_OFFSET + InitDevIdCsrTbsEcc384::PUBLIC_KEY_LEN], key.pub_key(), ); assert_eq!( - &csr.tbs()[InitDevIdCsrTbs::SUBJECT_SN_OFFSET - ..InitDevIdCsrTbs::SUBJECT_SN_OFFSET + InitDevIdCsrTbs::SUBJECT_SN_LEN], + &csr.tbs()[InitDevIdCsrTbsEcc384::SUBJECT_SN_OFFSET + ..InitDevIdCsrTbsEcc384::SUBJECT_SN_OFFSET + InitDevIdCsrTbsEcc384::SUBJECT_SN_LEN], key.hex_str().into_bytes(), ); assert_eq!( - &csr.tbs()[InitDevIdCsrTbs::UEID_OFFSET - ..InitDevIdCsrTbs::UEID_OFFSET + InitDevIdCsrTbs::UEID_LEN], + &csr.tbs()[InitDevIdCsrTbsEcc384::UEID_OFFSET + ..InitDevIdCsrTbsEcc384::UEID_OFFSET + InitDevIdCsrTbsEcc384::UEID_LEN], TEST_UEID, ); @@ -163,11 +163,13 @@ mod tests { #[test] #[cfg(feature = "generate_templates")] fn test_idevid_template() { - let manual_template = - std::fs::read(std::path::Path::new("./build/init_dev_id_csr_tbs.rs")).unwrap(); + let manual_template = std::fs::read(std::path::Path::new( + "./build/init_dev_id_csr_tbs_ecc_384.rs", + )) + .unwrap(); let auto_generated_template = std::fs::read(std::path::Path::new(concat!( env!("OUT_DIR"), - "/init_dev_id_csr_tbs.rs" + "/init_dev_id_csr_tbs_ecc_384.rs" ))) .unwrap(); if auto_generated_template != manual_template { diff --git a/x509/src/idevid_csr_mldsa_87.rs b/x509/src/idevid_csr_mldsa_87.rs new file mode 100644 index 0000000000..772e9d8e7a --- /dev/null +++ b/x509/src/idevid_csr_mldsa_87.rs @@ -0,0 +1,15 @@ +/*++ + +Licensed under the Apache-2.0 license. + +File Name: + + idevid_csr.rs + +Abstract: + + Initial Device ID Certificate Signing Request related code. + +--*/ + +include! {"../build/init_dev_id_csr_tbs_mldsa_87.rs"} diff --git a/x509/src/ldevid_cert.rs b/x509/src/ldevid_cert_ecc_384.rs similarity index 72% rename from x509/src/ldevid_cert.rs rename to x509/src/ldevid_cert_ecc_384.rs index dc8dacd86f..c6185d7e6d 100644 --- a/x509/src/ldevid_cert.rs +++ b/x509/src/ldevid_cert_ecc_384.rs @@ -8,15 +8,18 @@ File Name: Abstract: - Local Device ID Certificate related code. + ECC384 Local Device ID Certificate related code. --*/ // Note: All the necessary code is auto generated #[cfg(feature = "generate_templates")] -include!(concat!(env!("OUT_DIR"), "/local_dev_id_cert_tbs.rs")); +include!(concat!( + env!("OUT_DIR"), + "/local_dev_id_cert_tbs_ecc_384.rs" +)); #[cfg(not(feature = "generate_templates"))] -include! {"../build/local_dev_id_cert_tbs.rs"} +include! {"../build/local_dev_id_cert_tbs_ecc_384.rs"} #[cfg(all(test, target_family = "unix"))] mod tests { @@ -34,14 +37,14 @@ mod tests { use crate::test_util::tests::*; use crate::{NotAfter, NotBefore}; - const TEST_UEID: &[u8] = &[0xAB; LocalDevIdCertTbsParams::UEID_LEN]; + const TEST_UEID: &[u8] = &[0xAB; LocalDevIdCertTbsEcc384Params::UEID_LEN]; fn make_test_cert( subject_key: &Ecc384AsymKey, issuer_key: &Ecc384AsymKey, - ) -> LocalDevIdCertTbs { - let params = LocalDevIdCertTbsParams { - serial_number: &[0xABu8; LocalDevIdCertTbsParams::SERIAL_NUMBER_LEN], + ) -> LocalDevIdCertTbsEcc384 { + let params = LocalDevIdCertTbsEcc384Params { + serial_number: &[0xABu8; LocalDevIdCertTbsEcc384Params::SERIAL_NUMBER_LEN], public_key: &subject_key.pub_key().try_into().unwrap(), subject_sn: &subject_key .hex_str() @@ -57,7 +60,7 @@ mod tests { not_after: &NotAfter::default().value, }; - LocalDevIdCertTbs::new(¶ms) + LocalDevIdCertTbsEcc384::new(¶ms) } #[test] @@ -75,36 +78,40 @@ mod tests { }) .unwrap(); - assert_ne!(cert.tbs(), LocalDevIdCertTbs::TBS_TEMPLATE); + assert_ne!(cert.tbs(), LocalDevIdCertTbsEcc384::TBS_TEMPLATE); assert_eq!( - &cert.tbs()[LocalDevIdCertTbs::PUBLIC_KEY_OFFSET - ..LocalDevIdCertTbs::PUBLIC_KEY_OFFSET + LocalDevIdCertTbs::PUBLIC_KEY_LEN], + &cert.tbs()[LocalDevIdCertTbsEcc384::PUBLIC_KEY_OFFSET + ..LocalDevIdCertTbsEcc384::PUBLIC_KEY_OFFSET + + LocalDevIdCertTbsEcc384::PUBLIC_KEY_LEN], subject_key.pub_key(), ); assert_eq!( - &cert.tbs()[LocalDevIdCertTbs::SUBJECT_SN_OFFSET - ..LocalDevIdCertTbs::SUBJECT_SN_OFFSET + LocalDevIdCertTbs::SUBJECT_SN_LEN], + &cert.tbs()[LocalDevIdCertTbsEcc384::SUBJECT_SN_OFFSET + ..LocalDevIdCertTbsEcc384::SUBJECT_SN_OFFSET + + LocalDevIdCertTbsEcc384::SUBJECT_SN_LEN], subject_key.hex_str().into_bytes(), ); assert_eq!( - &cert.tbs()[LocalDevIdCertTbs::ISSUER_SN_OFFSET - ..LocalDevIdCertTbs::ISSUER_SN_OFFSET + LocalDevIdCertTbs::ISSUER_SN_LEN], + &cert.tbs()[LocalDevIdCertTbsEcc384::ISSUER_SN_OFFSET + ..LocalDevIdCertTbsEcc384::ISSUER_SN_OFFSET + + LocalDevIdCertTbsEcc384::ISSUER_SN_LEN], issuer_key.hex_str().into_bytes(), ); assert_eq!( - &cert.tbs()[LocalDevIdCertTbs::UEID_OFFSET - ..LocalDevIdCertTbs::UEID_OFFSET + LocalDevIdCertTbs::UEID_LEN], + &cert.tbs()[LocalDevIdCertTbsEcc384::UEID_OFFSET + ..LocalDevIdCertTbsEcc384::UEID_OFFSET + LocalDevIdCertTbsEcc384::UEID_LEN], TEST_UEID, ); assert_eq!( - &cert.tbs()[LocalDevIdCertTbs::SUBJECT_KEY_ID_OFFSET - ..LocalDevIdCertTbs::SUBJECT_KEY_ID_OFFSET + LocalDevIdCertTbs::SUBJECT_KEY_ID_LEN], + &cert.tbs()[LocalDevIdCertTbsEcc384::SUBJECT_KEY_ID_OFFSET + ..LocalDevIdCertTbsEcc384::SUBJECT_KEY_ID_OFFSET + + LocalDevIdCertTbsEcc384::SUBJECT_KEY_ID_LEN], subject_key.sha1(), ); assert_eq!( - &cert.tbs()[LocalDevIdCertTbs::AUTHORITY_KEY_ID_OFFSET - ..LocalDevIdCertTbs::AUTHORITY_KEY_ID_OFFSET - + LocalDevIdCertTbs::AUTHORITY_KEY_ID_LEN], + &cert.tbs()[LocalDevIdCertTbsEcc384::AUTHORITY_KEY_ID_OFFSET + ..LocalDevIdCertTbsEcc384::AUTHORITY_KEY_ID_OFFSET + + LocalDevIdCertTbsEcc384::AUTHORITY_KEY_ID_LEN], issuer_key.sha1(), ); let ecdsa_sig = crate::Ecdsa384Signature { @@ -170,11 +177,13 @@ mod tests { #[test] #[cfg(feature = "generate_templates")] fn test_ldevid_template() { - let manual_template = - std::fs::read(std::path::Path::new("./build/local_dev_id_cert_tbs.rs")).unwrap(); + let manual_template = std::fs::read(std::path::Path::new( + "./build/local_dev_id_cert_tbs_ecc_384.rs", + )) + .unwrap(); let auto_generated_template = std::fs::read(std::path::Path::new(concat!( env!("OUT_DIR"), - "/local_dev_id_cert_tbs.rs" + "/local_dev_id_cert_tbs_ecc_384.rs" ))) .unwrap(); if auto_generated_template != manual_template { diff --git a/x509/src/ldevid_cert_mldsa_87.rs b/x509/src/ldevid_cert_mldsa_87.rs new file mode 100644 index 0000000000..d190dabd36 --- /dev/null +++ b/x509/src/ldevid_cert_mldsa_87.rs @@ -0,0 +1,15 @@ +/*++ + +Licensed under the Apache-2.0 license. + +File Name: + + ldevid_cert.rs + +Abstract: + + Local Device ID Certificate related code. + +--*/ + +include! {"../build/local_dev_id_cert_tbs_mldsa_87.rs"} diff --git a/x509/src/lib.rs b/x509/src/lib.rs index 53a8f27a58..d057cf3019 100644 --- a/x509/src/lib.rs +++ b/x509/src/lib.rs @@ -16,10 +16,14 @@ Abstract: mod cert_bldr; mod der_helper; -mod fmc_alias_cert; -mod idevid_csr; -mod ldevid_cert; -mod rt_alias_cert; +mod fmc_alias_cert_ecc_384; +mod fmc_alias_cert_mldsa_87; +mod idevid_csr_ecc_384; +mod idevid_csr_mldsa_87; +mod ldevid_cert_ecc_384; +mod ldevid_cert_mldsa_87; +mod rt_alias_cert_ecc_384; +mod rt_alias_cert_mldsa_87; mod test_util; pub use cert_bldr::{ @@ -27,10 +31,11 @@ pub use cert_bldr::{ MlDsa87CsrBuilder, Mldsa87Signature, }; pub use der_helper::{der_encode_len, der_encode_uint, der_uint_len}; -pub use fmc_alias_cert::{FmcAliasCertTbs, FmcAliasCertTbsParams}; -pub use idevid_csr::{InitDevIdCsrTbs, InitDevIdCsrTbsParams}; -pub use ldevid_cert::{LocalDevIdCertTbs, LocalDevIdCertTbsParams}; -pub use rt_alias_cert::{RtAliasCertTbs, RtAliasCertTbsParams}; +pub use fmc_alias_cert_ecc_384::{FmcAliasCertTbsEcc384, FmcAliasCertTbsEcc384Params}; +pub use idevid_csr_ecc_384::{InitDevIdCsrTbsEcc384, InitDevIdCsrTbsEcc384Params}; +pub use idevid_csr_mldsa_87::{InitDevIdCsrTbsMlDsa87, InitDevIdCsrTbsMlDsa87Params}; +pub use ldevid_cert_ecc_384::{LocalDevIdCertTbsEcc384, LocalDevIdCertTbsEcc384Params}; +pub use rt_alias_cert_ecc_384::{RtAliasCertTbsEcc384, RtAliasCertTbsEcc384Params}; use zeroize::Zeroize; pub const NOT_BEFORE: &str = "20230101000000Z"; diff --git a/x509/src/rt_alias_cert.rs b/x509/src/rt_alias_cert_ecc_384.rs similarity index 51% rename from x509/src/rt_alias_cert.rs rename to x509/src/rt_alias_cert_ecc_384.rs index 675a76bf7a..dbec2b4096 100644 --- a/x509/src/rt_alias_cert.rs +++ b/x509/src/rt_alias_cert_ecc_384.rs @@ -8,15 +8,15 @@ File Name: Abstract: - RT Alias Certificate related code. + ECC384 RT Alias Certificate related code. --*/ // Note: All the necessary code is auto generated #[cfg(feature = "generate_templates")] -include!(concat!(env!("OUT_DIR"), "/rt_alias_cert_tbs.rs")); +include!(concat!(env!("OUT_DIR"), "/rt_alias_cert_tbs_ecc_384.rs")); #[cfg(not(feature = "generate_templates"))] -include! {"../build/rt_alias_cert_tbs.rs"} +include! {"../build/rt_alias_cert_tbs_ecc_384.rs"} #[cfg(all(test, target_family = "unix"))] mod tests { @@ -34,36 +34,38 @@ mod tests { let issuer_key = Ecc384AsymKey::default(); let ec_key = issuer_key.priv_key().ec_key().unwrap(); - let params = RtAliasCertTbsParams { - serial_number: &[0xABu8; RtAliasCertTbsParams::SERIAL_NUMBER_LEN], - public_key: TryInto::<&[u8; RtAliasCertTbsParams::PUBLIC_KEY_LEN]>::try_into( + let params = RtAliasCertTbsEcc384Params { + serial_number: &[0xABu8; RtAliasCertTbsEcc384Params::SERIAL_NUMBER_LEN], + public_key: TryInto::<&[u8; RtAliasCertTbsEcc384Params::PUBLIC_KEY_LEN]>::try_into( subject_key.pub_key(), ) .unwrap(), - subject_sn: &TryInto::<[u8; RtAliasCertTbsParams::SUBJECT_SN_LEN]>::try_into( + subject_sn: &TryInto::<[u8; RtAliasCertTbsEcc384Params::SUBJECT_SN_LEN]>::try_into( subject_key.hex_str().into_bytes(), ) .unwrap(), - issuer_sn: &TryInto::<[u8; RtAliasCertTbsParams::ISSUER_SN_LEN]>::try_into( + issuer_sn: &TryInto::<[u8; RtAliasCertTbsEcc384Params::ISSUER_SN_LEN]>::try_into( issuer_key.hex_str().into_bytes(), ) .unwrap(), - ueid: &[0xAB; RtAliasCertTbsParams::UEID_LEN], - subject_key_id: &TryInto::<[u8; RtAliasCertTbsParams::SUBJECT_KEY_ID_LEN]>::try_into( - subject_key.sha1(), - ) - .unwrap(), - authority_key_id: &TryInto::<[u8; RtAliasCertTbsParams::SUBJECT_KEY_ID_LEN]>::try_into( - issuer_key.sha1(), - ) - .unwrap(), + ueid: &[0xAB; RtAliasCertTbsEcc384Params::UEID_LEN], + subject_key_id: + &TryInto::<[u8; RtAliasCertTbsEcc384Params::SUBJECT_KEY_ID_LEN]>::try_into( + subject_key.sha1(), + ) + .unwrap(), + authority_key_id: + &TryInto::<[u8; RtAliasCertTbsEcc384Params::SUBJECT_KEY_ID_LEN]>::try_into( + issuer_key.sha1(), + ) + .unwrap(), tcb_info_rt_svn: &[0xE3], - tcb_info_rt_tci: &[0xEFu8; RtAliasCertTbsParams::TCB_INFO_RT_TCI_LEN], + tcb_info_rt_tci: &[0xEFu8; RtAliasCertTbsEcc384Params::TCB_INFO_RT_TCI_LEN], not_before: &NotBefore::default().value, not_after: &NotAfter::default().value, }; - let cert = RtAliasCertTbs::new(¶ms); + let cert = RtAliasCertTbsEcc384::new(¶ms); let sig = cert .sign(|b| { @@ -73,45 +75,49 @@ mod tests { }) .unwrap(); - assert_ne!(cert.tbs(), RtAliasCertTbs::TBS_TEMPLATE); + assert_ne!(cert.tbs(), RtAliasCertTbsEcc384::TBS_TEMPLATE); assert_eq!( - &cert.tbs()[RtAliasCertTbs::PUBLIC_KEY_OFFSET - ..RtAliasCertTbs::PUBLIC_KEY_OFFSET + RtAliasCertTbs::PUBLIC_KEY_LEN], + &cert.tbs()[RtAliasCertTbsEcc384::PUBLIC_KEY_OFFSET + ..RtAliasCertTbsEcc384::PUBLIC_KEY_OFFSET + RtAliasCertTbsEcc384::PUBLIC_KEY_LEN], params.public_key, ); assert_eq!( - &cert.tbs()[RtAliasCertTbs::SUBJECT_SN_OFFSET - ..RtAliasCertTbs::SUBJECT_SN_OFFSET + RtAliasCertTbs::SUBJECT_SN_LEN], + &cert.tbs()[RtAliasCertTbsEcc384::SUBJECT_SN_OFFSET + ..RtAliasCertTbsEcc384::SUBJECT_SN_OFFSET + RtAliasCertTbsEcc384::SUBJECT_SN_LEN], params.subject_sn, ); assert_eq!( - &cert.tbs()[RtAliasCertTbs::ISSUER_SN_OFFSET - ..RtAliasCertTbs::ISSUER_SN_OFFSET + RtAliasCertTbs::ISSUER_SN_LEN], + &cert.tbs()[RtAliasCertTbsEcc384::ISSUER_SN_OFFSET + ..RtAliasCertTbsEcc384::ISSUER_SN_OFFSET + RtAliasCertTbsEcc384::ISSUER_SN_LEN], params.issuer_sn, ); assert_eq!( - &cert.tbs()[RtAliasCertTbs::UEID_OFFSET - ..RtAliasCertTbs::UEID_OFFSET + RtAliasCertTbs::UEID_LEN], + &cert.tbs()[RtAliasCertTbsEcc384::UEID_OFFSET + ..RtAliasCertTbsEcc384::UEID_OFFSET + RtAliasCertTbsEcc384::UEID_LEN], params.ueid, ); assert_eq!( - &cert.tbs()[RtAliasCertTbs::SUBJECT_KEY_ID_OFFSET - ..RtAliasCertTbs::SUBJECT_KEY_ID_OFFSET + RtAliasCertTbs::SUBJECT_KEY_ID_LEN], + &cert.tbs()[RtAliasCertTbsEcc384::SUBJECT_KEY_ID_OFFSET + ..RtAliasCertTbsEcc384::SUBJECT_KEY_ID_OFFSET + + RtAliasCertTbsEcc384::SUBJECT_KEY_ID_LEN], params.subject_key_id, ); assert_eq!( - &cert.tbs()[RtAliasCertTbs::AUTHORITY_KEY_ID_OFFSET - ..RtAliasCertTbs::AUTHORITY_KEY_ID_OFFSET + RtAliasCertTbs::AUTHORITY_KEY_ID_LEN], + &cert.tbs()[RtAliasCertTbsEcc384::AUTHORITY_KEY_ID_OFFSET + ..RtAliasCertTbsEcc384::AUTHORITY_KEY_ID_OFFSET + + RtAliasCertTbsEcc384::AUTHORITY_KEY_ID_LEN], params.authority_key_id, ); assert_eq!( - &cert.tbs()[RtAliasCertTbs::TCB_INFO_RT_SVN_OFFSET - ..RtAliasCertTbs::TCB_INFO_RT_SVN_OFFSET + RtAliasCertTbs::TCB_INFO_RT_SVN_LEN], + &cert.tbs()[RtAliasCertTbsEcc384::TCB_INFO_RT_SVN_OFFSET + ..RtAliasCertTbsEcc384::TCB_INFO_RT_SVN_OFFSET + + RtAliasCertTbsEcc384::TCB_INFO_RT_SVN_LEN], params.tcb_info_rt_svn, ); assert_eq!( - &cert.tbs()[RtAliasCertTbs::TCB_INFO_RT_TCI_OFFSET - ..RtAliasCertTbs::TCB_INFO_RT_TCI_OFFSET + RtAliasCertTbs::TCB_INFO_RT_TCI_LEN], + &cert.tbs()[RtAliasCertTbsEcc384::TCB_INFO_RT_TCI_OFFSET + ..RtAliasCertTbsEcc384::TCB_INFO_RT_TCI_OFFSET + + RtAliasCertTbsEcc384::TCB_INFO_RT_TCI_LEN], params.tcb_info_rt_tci, ); @@ -132,10 +138,10 @@ mod tests { #[cfg(feature = "generate_templates")] fn test_rt_alias_template() { let manual_template = - std::fs::read(std::path::Path::new("./build/rt_alias_cert_tbs.rs")).unwrap(); + std::fs::read(std::path::Path::new("./build/rt_alias_cert_tbs_ecc_384.rs")).unwrap(); let auto_generated_template = std::fs::read(std::path::Path::new(concat!( env!("OUT_DIR"), - "/rt_alias_cert_tbs.rs" + "/rt_alias_cert_tbs_ecc_384.rs" ))) .unwrap(); if auto_generated_template != manual_template { diff --git a/x509/src/rt_alias_cert_mldsa_87.rs b/x509/src/rt_alias_cert_mldsa_87.rs new file mode 100644 index 0000000000..b85bab9679 --- /dev/null +++ b/x509/src/rt_alias_cert_mldsa_87.rs @@ -0,0 +1,15 @@ +/*++ + +Licensed under the Apache-2.0 license. + +File Name: + + idevid_csr.rs + +Abstract: + + Initial Device ID Certificate Signing Request related code. + +--*/ + +include! {"../build/rt_alias_cert_tbs_mldsa_87.rs"}