From a8473bf87d47dc6d00a881328ccda73514c6696f Mon Sep 17 00:00:00 2001
From: nagendra modadugu <ngm@google.com>
Date: Wed, 8 Jun 2016 17:38:24 -0700
Subject: CR50: add a simple ASN.1 parser & certificate verifier

Add a certificate verifier, so that endorsement
certificates may be verified upon installation.
Doing so allows for catching certificate errors early.

BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
TEST=all tests in test/tpm_test/tpmtest.py pass

Change-Id: I9339a6bc36e4d82ae875ce774e31848ae983fa1f
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/351031
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
---
 test/tpm_test/rsa_test.py | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/tpm_test/rsa_test.py b/test/tpm_test/rsa_test.py
index 8fea03c449..7f7c28d5e6 100644
--- a/test/tpm_test/rsa_test.py
+++ b/test/tpm_test/rsa_test.py
@@ -21,7 +21,8 @@ _RSA_OPCODES = {
   'VERIFY': 0x03,
   'KEYGEN': 0x04,
   'KEYTEST': 0x05,
-  'PRIMEGEN': 0x06
+  'PRIMEGEN': 0x06,
+  'X509_VERIFY': 0x07
 }
 
 
@@ -135,6 +136,16 @@ def _primegen_cmd(seed):
                                 ml=struct.pack('>H', len(seed)), msg=seed,
                                 dl=struct.pack('>H', 0), dig='')
 
+def _x509_verify_cmd(key_len):
+  op = _RSA_OPCODES['X509_VERIFY']
+  padding = _RSA_PADDING['NONE']
+  hashing = _HASH['NONE']
+  return _RSA_CMD_FORMAT.format(o=op, p=padding, h=hashing,
+                                kl=struct.pack('>H', key_len),
+                                ml=struct.pack('>H', 0), msg='',
+                                dl=struct.pack('>H', 0), dig='')
+
+
 _PRIMES = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53,
            59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131,
            137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199,
@@ -723,9 +734,22 @@ def _primegen_tests(tpm):
     print('%sSUCCESS: %s' % (utils.cursor_back(), test_name))
 
 
+def _x509_verify_tests(tpm):
+  test_name = 'RSA-X509-2048-VERIFY'
+  cmd = _x509_verify_cmd(2048)
+  wrapped_response = tpm.command(tpm.wrap_ext_command(subcmd.RSA, cmd))
+  valid = tpm.unwrap_ext_response(subcmd.RSA, wrapped_response)
+  expected = '\x01'
+  if valid != expected:
+    raise subcmd.TpmTestError('%s error:%s%s' % (
+      test_name, utils.hex_dump(valid), utils.hex_dump(expected)))
+  print('%sSUCCESS: %s' % (utils.cursor_back(), test_name))
+
+
 def rsa_test(tpm):
   _encrypt_tests(tpm)
   _sign_tests(tpm)
   _keytest_tests(tpm)
   _keygen_tests(tpm)
   _primegen_tests(tpm)
+  _x509_verify_tests(tpm)
-- 
cgit v1.2.1