Skip to content

Commit

Permalink
verifier: move SNP test data to test_data
Browse files Browse the repository at this point in the history 
Follows the layout of other verifiers

Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
  • Loading branch information
@fitzthum
fitzthum committed May 21, 2024
1 parent 6190207 commit 6b328e2
Show file tree
Hide file tree
Showing 7 changed files with 28 additions and 32 deletions.
60 changes: 28 additions & 32 deletions attestation-service/verifier/src/snp/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,14 @@ fn get_common_name(cert: &x509::X509) -> Result<String> {
mod tests {
use super::*;

const VCEK: &[u8; 1360] = include_bytes!("../../test_data/snp/test-vcek.der");
const VCEK_LEGACY: &[u8; 1361] = include_bytes!("../../test_data/snp/test-vcek-invalid-legacy.der");
const VCEK_NEW: &[u8; 1362] = include_bytes!("../../test_data/snp/test-vcek-invalid-new.der");
const VCEK_REPORT: &[u8; 1184] = include_bytes!("../../test_data/snp/test-report.bin");

const VLEK: &[u8; 1329] = include_bytes!("../../test_data/snp/test-vlek.der");
const VLEK_REPORT: &[u8; 1184] = include_bytes!("../../test_data/snp/test-vlek-report.bin");

#[test]
fn check_milan_certificates() {
let VendorCertificates { ask, ark, asvk } = load_milan_cert_chain().as_ref().unwrap();
Expand Down Expand Up @@ -339,8 +347,7 @@ mod tests {

#[test]
fn check_vlek_parsing() {
let vlek_der = include_bytes!("test-vlek.der");
let parsed_vlek = X509Certificate::from_der(vlek_der)
let parsed_vlek = X509Certificate::from_der(VLEK)
.unwrap()
.1
.tbs_certificate;
Expand All @@ -350,8 +357,7 @@ mod tests {

#[test]
fn check_vcek_parsing() {
let vcek_der = include_bytes!("test-vcek.der");
let parsed_vcek = X509Certificate::from_der(vcek_der)
let parsed_vcek = X509Certificate::from_der(VCEK)
.unwrap()
.1
.tbs_certificate;
Expand All @@ -363,8 +369,7 @@ mod tests {

#[test]
fn check_vcek_parsing_legacy() {
let vcek_der = include_bytes!("test-vcek-invalid-legacy.der");
let parsed_vcek = X509Certificate::from_der(vcek_der)
let parsed_vcek = X509Certificate::from_der(VCEK_LEGACY)
.unwrap()
.1
.tbs_certificate;
Expand All @@ -376,8 +381,7 @@ mod tests {

#[test]
fn check_vcek_parsing_new() {
let vcek_der = include_bytes!("test-vcek-invalid-new.der");
let parsed_vcek = X509Certificate::from_der(vcek_der)
let parsed_vcek = X509Certificate::from_der(VCEK_NEW)
.unwrap()
.1
.tbs_certificate;
Expand All @@ -389,99 +393,91 @@ mod tests {

#[test]
fn check_vcek_signature_verification() {
let vcek = include_bytes!("test-vcek.der").to_vec();
let cert_table = vec![CertTableEntry::new(CertType::VCEK, vcek)];
let cert_table = vec![CertTableEntry::new(CertType::VCEK, VCEK.to_vec())];
let VendorCertificates { ask, ark, asvk } = load_milan_cert_chain().as_ref().unwrap();
verify_cert_chain(&cert_table, ask, ark, asvk).unwrap();
}

#[test]
fn check_vcek_signature_failure() {
let mut vcek = include_bytes!("test-vcek.der").to_vec();
let mut vcek = VCEK.clone();

// corrupt some byte, while it should remain a valid cert
vcek[42] += 1;
X509::from_der(&vcek).expect("failed to parse der");

let cert_table = vec![CertTableEntry::new(CertType::VCEK, vcek)];
let cert_table = vec![CertTableEntry::new(CertType::VCEK, vcek.to_vec())];
let VendorCertificates { ask, ark, asvk } = load_milan_cert_chain().as_ref().unwrap();
verify_cert_chain(&cert_table, ask, ark, asvk).unwrap_err();
}

#[test]
fn check_vlek_signature_verification() {
let vlek = include_bytes!("test-vlek.der").to_vec();
let cert_table = vec![CertTableEntry::new(CertType::VLEK, vlek)];
let cert_table = vec![CertTableEntry::new(CertType::VLEK, VLEK.to_vec())];
let VendorCertificates { ask, ark, asvk } = load_milan_cert_chain().as_ref().unwrap();
verify_cert_chain(&cert_table, ask, ark, asvk).unwrap();
}

#[test]
fn check_vlek_signature_failure() {
let mut vlek = include_bytes!("test-vlek.der").to_vec();
let mut vlek = VLEK.clone();

// corrupt some byte, while it should remain a valid cert
vlek[42] += 1;
X509::from_der(&vlek).expect("failed to parse der");

let cert_table = vec![CertTableEntry::new(CertType::VLEK, vlek)];
let cert_table = vec![CertTableEntry::new(CertType::VLEK, vlek.to_vec())];
let VendorCertificates { ask, ark, asvk } = load_milan_cert_chain().as_ref().unwrap();
verify_cert_chain(&cert_table, ask, ark, asvk).unwrap_err();
}

#[test]
fn check_milan_chain_signature_failure() {
let vcek = include_bytes!("test-vcek.der").to_vec();
let cert_table = vec![CertTableEntry::new(CertType::VCEK, vcek)];
let cert_table = vec![CertTableEntry::new(CertType::VCEK, VCEK.to_vec())];
let VendorCertificates { ask, ark, asvk } = load_milan_cert_chain().as_ref().unwrap();

// toggle ark <=> ask
verify_cert_chain(&cert_table, ark, ask, asvk).unwrap_err();
}

#[test]
fn check_report_signature() {
let vcek = include_bytes!("test-vcek.der").to_vec();
let bytes = include_bytes!("test-report.bin");
let attestation_report = bincode::deserialize::<AttestationReport>(bytes).unwrap();
let cert_chain = vec![CertTableEntry::new(CertType::VCEK, vcek)];
let attestation_report = bincode::deserialize::<AttestationReport>(VCEK_REPORT.as_slice()).unwrap();
let cert_chain = vec![CertTableEntry::new(CertType::VCEK, VCEK.to_vec())];
let vendor_certs = load_milan_cert_chain().as_ref().unwrap();
verify_report_signature(&attestation_report, &cert_chain, vendor_certs).unwrap();
}

#[test]
fn check_vlek_report_signature() {
let vlek = include_bytes!("test-vlek.der").to_vec();
let bytes = include_bytes!("test-vlek-report.bin");
let attestation_report = bincode::deserialize::<AttestationReport>(bytes).unwrap();
let cert_chain = vec![CertTableEntry::new(CertType::VLEK, vlek)];
let attestation_report = bincode::deserialize::<AttestationReport>(VLEK_REPORT.as_slice()).unwrap();
let cert_chain = vec![CertTableEntry::new(CertType::VLEK, VLEK.to_vec())];
let vendor_certs = load_milan_cert_chain().as_ref().unwrap();
verify_report_signature(&attestation_report, &cert_chain, vendor_certs).unwrap();
}

#[test]
fn check_report_signature_failure() {
let vcek = include_bytes!("test-vcek.der").to_vec();
let mut bytes = include_bytes!("test-report.bin").to_vec();
let mut bytes = VCEK_REPORT.clone();

// corrupt some byte
bytes[42] += 1;

let attestation_report = bincode::deserialize::<AttestationReport>(&bytes).unwrap();
let cert_chain = vec![CertTableEntry::new(CertType::VCEK, vcek)];
let cert_chain = vec![CertTableEntry::new(CertType::VCEK, VCEK.to_vec())];
let vendor_certs = load_milan_cert_chain().as_ref().unwrap();
verify_report_signature(&attestation_report, &cert_chain, vendor_certs).unwrap_err();
}

#[test]
fn check_vlek_report_signature_failure() {
let vlek = include_bytes!("test-vlek.der").to_vec();
let mut bytes = include_bytes!("test-vlek-report.bin").to_vec();
let mut bytes = VLEK_REPORT.clone();

// corrupt some byte
bytes[42] += 1;

let attestation_report = bincode::deserialize::<AttestationReport>(&bytes).unwrap();
let cert_chain = vec![CertTableEntry::new(CertType::VLEK, vlek)];
let cert_chain = vec![CertTableEntry::new(CertType::VLEK, VLEK.to_vec())];
let vendor_certs = load_milan_cert_chain().as_ref().unwrap();
verify_report_signature(&attestation_report, &cert_chain, vendor_certs).unwrap_err();
}
Expand Down
0 ...-service/verifier/src/snp/test-report.bin → ...ce/verifier/test_data/snp/test-report.bin
View file
File renamed without changes.
0 ...fier/src/snp/test-vcek-invalid-legacy.der → ...est_data/snp/test-vcek-invalid-legacy.der
View file
File renamed without changes.
0 ...erifier/src/snp/test-vcek-invalid-new.der → ...r/test_data/snp/test-vcek-invalid-new.der
View file
File renamed without changes.
0 ...on-service/verifier/src/snp/test-vcek.der → ...vice/verifier/test_data/snp/test-vcek.der
View file
File renamed without changes.
0 ...ice/verifier/src/snp/test-vlek-report.bin → ...rifier/test_data/snp/test-vlek-report.bin
View file
File renamed without changes.
0 ...on-service/verifier/src/snp/test-vlek.der → ...vice/verifier/test_data/snp/test-vlek.der
View file
File renamed without changes.

0 comments on commit 6b328e2

Please sign in to comment.