Skip to content

Commit

Permalink
Upgrade fake endorsements to use claims rather than the usage field, …
Browse files Browse the repository at this point in the history 
…following the latest endorsement specs (V3).

Bug: 369602264
Change-Id: I67f0893a5c269e6e597723b47f6bd8bb9112e094
  • Loading branch information
@thmsbinder
thmsbinder committed Nov 18, 2024
1 parent 3ff4ae4 commit 957f5bb
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 24 deletions.
7 changes: 4 additions & 3 deletions oak_attestation_verification/src/expect/tests.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ use prost::Message;
use time::ext::NumericalDuration;

use crate::{
endorsement::{FIRMWARE_CLAIM_TYPE, KERNEL_CLAIM_TYPE},
test_util::{self, GetValidity},
util::{self, UnixTimestampMillis},
};
Expand All @@ -36,7 +37,7 @@ fn test_get_expected_measurement_digest_validity() {
// Create an endorsement of some arbitrary content.
let measured_content = b"Just some abitrary content";
let content_digests = util::raw_digest_from_contents(measured_content);
let endorsement = test_util::fake_endorsement(&content_digests, test_util::Usage::None);
let endorsement = test_util::fake_endorsement(&content_digests, vec![]);
let endorsement_validity = endorsement.predicate.validity.as_ref().expect("no validity");

// Now create the TR endorsement.
Expand Down Expand Up @@ -94,7 +95,7 @@ fn test_get_stage0_expected_values_validity() {
// hash is the hash of the serialized firmware attachment.
let subject_digests = util::raw_digest_from_contents(&serialized_subject);
let (signing_key, public_key) = test_util::new_random_signing_keypair();
let endorsement = test_util::fake_endorsement(&subject_digests, test_util::Usage::Firmware);
let endorsement = test_util::fake_endorsement(&subject_digests, vec![FIRMWARE_CLAIM_TYPE]);
let endorsement_validity = endorsement.predicate.validity.as_ref().expect("no validity");
let (serialized_endorsement, endorsement_signature) =
test_util::serialize_and_sign_endorsement(&endorsement, signing_key);
Expand Down Expand Up @@ -146,7 +147,7 @@ fn test_get_kernel_expected_values_validity() {
// hash is the hash of the serialized kernel attachment.
let subject_digests = util::raw_digest_from_contents(&serialized_subject);
let (signing_key, public_key) = test_util::new_random_signing_keypair();
let endorsement = test_util::fake_endorsement(&subject_digests, test_util::Usage::Kernel);
let endorsement = test_util::fake_endorsement(&subject_digests, vec![KERNEL_CLAIM_TYPE]);
let endorsement_validity = endorsement.predicate.validity.as_ref().expect("no validity");
let (serialized_endorsement, endorsement_signature) =
test_util::serialize_and_sign_endorsement(&endorsement, signing_key);
Expand Down
27 changes: 6 additions & 21 deletions oak_attestation_verification/src/test_util.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,39 +26,24 @@ use oak_proto_rust::oak::{
use p256::{ecdsa::signature::Signer, pkcs8::EncodePublicKey, NistP256, PublicKey};
use time::macros::datetime;

use crate::endorsement::{self, DefaultPredicate, DefaultStatement, Statement, Subject};
use crate::endorsement::{self, Claim, DefaultPredicate, DefaultStatement, Statement, Subject};

pub enum Usage {
None,
Firmware,
Kernel,
}

impl std::fmt::Display for Usage {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> {
match self {
Self::None => write!(f, ""),
Self::Firmware => write!(f, "firmware"),
Self::Kernel => write!(f, "kernel"),
}
}
}
/// A simple fake endorsement for basic generic testing purposes.
pub fn fake_endorsement(digests: &RawDigest, usage: Usage) -> DefaultStatement {
let map_digests = raw_digest_to_map(digests);
pub fn fake_endorsement(digest: &RawDigest, claim_types: Vec<&str>) -> DefaultStatement {
let map_digest = raw_digest_to_map(digest);

DefaultStatement {
_type: endorsement::STATEMENT_TYPE.to_owned(),
predicate_type: endorsement::PREDICATE_TYPE_V3.to_owned(),
subject: vec![Subject { name: "Fake Subject".to_string(), digest: map_digests }],
subject: vec![Subject { name: "fake_subject_name".to_string(), digest: map_digest }],
predicate: DefaultPredicate {
usage: usage.to_string(),
usage: "".to_owned(), // Ignored with predicate V3, do not use.
issued_on: datetime!(2024-10-01 12:08 UTC),
validity: Some(endorsement::Validity {
not_before: datetime!(2024-09-01 12:00 UTC),
not_after: datetime!(2024-12-01 12:00 UTC),
}),
claims: vec![],
claims: claim_types.iter().map(|x| Claim { r#type: x.to_string() }).collect(),
},
}
}
Expand Down

0 comments on commit 957f5bb

Please sign in to comment.