diff options
author | Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> | 2024-05-23 13:38:43 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2024-05-23 13:38:43 +0000 |
commit | 569d56e364426458106260488192feb22e7e8648 (patch) | |
tree | 200670e0a2565365e6a081c48035f8cd56e48f56 | |
parent | f20b95675ae9e63bfa8974e0a34545ea259e2017 (diff) | |
parent | ff3811104599608ef606b6a530d718ef6f411c8e (diff) | |
download | Virtualization-master.tar.gz |
-rw-r--r-- | libs/cborutil/src/lib.rs | 21 | ||||
-rw-r--r-- | libs/dice/open_dice/Android.bp | 1 | ||||
-rw-r--r-- | libs/dice/open_dice/src/lib.rs | 4 | ||||
-rw-r--r-- | service_vm/client_vm_csr/Android.bp | 1 | ||||
-rw-r--r-- | service_vm/client_vm_csr/src/lib.rs | 7 | ||||
-rw-r--r-- | service_vm/comm/src/client_vm_csr.cddl | 5 | ||||
-rw-r--r-- | service_vm/requests/src/rkp.rs | 10 |
7 files changed, 40 insertions, 9 deletions
diff --git a/libs/cborutil/src/lib.rs b/libs/cborutil/src/lib.rs index 4d308c1b..b218c82a 100644 --- a/libs/cborutil/src/lib.rs +++ b/libs/cborutil/src/lib.rs @@ -21,7 +21,10 @@ extern crate alloc; use alloc::string::String; use alloc::vec::Vec; use ciborium::value::{Integer, Value}; -use coset::{CborSerializable, CoseError, CoseKey, Label, Result}; +use coset::{ + iana::{self, EnumI64}, + CborSerializable, CoseError, CoseKey, Label, Result, +}; use log::error; use serde::{de::DeserializeOwned, Serialize}; @@ -132,3 +135,19 @@ pub fn get_label_value(key: &CoseKey, label: Label) -> Result<&Value> { .ok_or(CoseError::UnexpectedItem("", "Label not found in CoseKey"))? .1) } + +/// Converts the provided COSE key algorithm integer to an `iana::Algorithm` used +/// by DICE chains. +pub fn dice_cose_key_alg(cose_key_alg: i32) -> Result<iana::Algorithm> { + let key_alg = iana::Algorithm::from_i64(cose_key_alg as i64).ok_or_else(|| { + error!("Unsupported COSE key algorithm for DICE: {cose_key_alg}"); + CoseError::UnexpectedItem("COSE key algorithm", "") + })?; + match key_alg { + iana::Algorithm::EdDSA | iana::Algorithm::ES256 | iana::Algorithm::ES384 => Ok(key_alg), + _ => { + error!("Unsupported COSE key algorithm for DICE: {key_alg:?}"); + Err(CoseError::UnexpectedItem("-8, -7 or -35", "")) + } + } +} diff --git a/libs/dice/open_dice/Android.bp b/libs/dice/open_dice/Android.bp index ab3220e0..4904672d 100644 --- a/libs/dice/open_dice/Android.bp +++ b/libs/dice/open_dice/Android.bp @@ -161,6 +161,7 @@ rust_defaults { "--allowlist-var=DICE_PUBLIC_KEY_SIZE", "--allowlist-var=DICE_PRIVATE_KEY_SIZE", "--allowlist-var=DICE_SIGNATURE_SIZE", + "--allowlist-var=DICE_COSE_KEY_ALG_VALUE", ], } diff --git a/libs/dice/open_dice/src/lib.rs b/libs/dice/open_dice/src/lib.rs index d0004b18..085a2cd4 100644 --- a/libs/dice/open_dice/src/lib.rs +++ b/libs/dice/open_dice/src/lib.rs @@ -40,6 +40,10 @@ pub use dice::{ PublicKey, Signature, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE, ID_SIZE, PRIVATE_KEY_SEED_SIZE, }; pub use error::{DiceError, Result}; +// Currently, open-dice library only supports a single signing and verification algorithm. +// The value of DICE_COSE_KEY_ALG_VALUE depends on the algorithm chosen by the underlying C +// library at build time. Refer to b/342333212 for more information. +pub use open_dice_cbor_bindgen::DICE_COSE_KEY_ALG_VALUE; pub use ops::{ derive_cdi_leaf_priv, generate_certificate, hash, kdf, keypair_from_seed, sign, verify, }; diff --git a/service_vm/client_vm_csr/Android.bp b/service_vm/client_vm_csr/Android.bp index 8d738d86..097779f7 100644 --- a/service_vm/client_vm_csr/Android.bp +++ b/service_vm/client_vm_csr/Android.bp @@ -8,6 +8,7 @@ rust_defaults { srcs: ["src/lib.rs"], rustlibs: [ "libanyhow", + "libcbor_util", "libcoset", "libdiced_open_dice", "libopenssl", diff --git a/service_vm/client_vm_csr/src/lib.rs b/service_vm/client_vm_csr/src/lib.rs index 0babfff7..70152cb3 100644 --- a/service_vm/client_vm_csr/src/lib.rs +++ b/service_vm/client_vm_csr/src/lib.rs @@ -20,7 +20,9 @@ use coset::{ iana, CborSerializable, CoseKey, CoseKeyBuilder, CoseSign, CoseSignBuilder, CoseSignature, CoseSignatureBuilder, HeaderBuilder, }; -use diced_open_dice::{derive_cdi_leaf_priv, sign, DiceArtifacts, PrivateKey}; +use diced_open_dice::{ + derive_cdi_leaf_priv, sign, DiceArtifacts, PrivateKey, DICE_COSE_KEY_ALG_VALUE, +}; use openssl::{ bn::{BigNum, BigNumContext}, ec::{EcGroup, EcKey, EcKeyRef}, @@ -91,7 +93,8 @@ fn build_signed_data( cdi_leaf_priv: &PrivateKey, attestation_key: &EcKeyRef<Private>, ) -> Result<CoseSign> { - let cdi_leaf_sig_headers = build_signature_headers(iana::Algorithm::EdDSA); + let dice_key_alg = cbor_util::dice_cose_key_alg(DICE_COSE_KEY_ALG_VALUE)?; + let cdi_leaf_sig_headers = build_signature_headers(dice_key_alg); let attestation_key_sig_headers = build_signature_headers(ATTESTATION_KEY_ALGO); let aad = &[]; let signed_data = CoseSignBuilder::new() diff --git a/service_vm/comm/src/client_vm_csr.cddl b/service_vm/comm/src/client_vm_csr.cddl index bbc709a6..7ddbfa33 100644 --- a/service_vm/comm/src/client_vm_csr.cddl +++ b/service_vm/comm/src/client_vm_csr.cddl @@ -33,9 +33,10 @@ Signatures = [ ; COSE_Signature [RFC9052 s4.1] COSE_Signature_Dice_Cdi_Leaf = [ - protected: bstr .cbor { 1: AlgorithmEdDSA }, + protected: bstr .cbor { 1: AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 }, unprotected: {}, - signature: bstr, ; Ed25519(CDI_Leaf_Priv, SigStruct) + signature: bstr, ; PureEd25519(CDI_Leaf_Priv, SigStruct) + ; ECDSA(CDI_Leaf_Priv, SigStruct) ] ; COSE_Signature [RFC9052 s4.1] diff --git a/service_vm/requests/src/rkp.rs b/service_vm/requests/src/rkp.rs index 4f2262f3..aa363e5f 100644 --- a/service_vm/requests/src/rkp.rs +++ b/service_vm/requests/src/rkp.rs @@ -26,8 +26,10 @@ use ciborium::{ value::{CanonicalValue, Value}, }; use core::result; -use coset::{iana, AsCborValue, CoseSign1, CoseSign1Builder, HeaderBuilder}; -use diced_open_dice::{derive_cdi_leaf_priv, kdf, sign, DiceArtifacts, PrivateKey}; +use coset::{AsCborValue, CoseSign1, CoseSign1Builder, HeaderBuilder}; +use diced_open_dice::{ + derive_cdi_leaf_priv, kdf, sign, DiceArtifacts, PrivateKey, DICE_COSE_KEY_ALG_VALUE, +}; use log::{debug, error}; use service_vm_comm::{EcdsaP256KeyPair, GenerateCertificateRequestParams, RequestProcessingError}; use zeroize::Zeroizing; @@ -151,8 +153,8 @@ fn build_signed_data(payload: &Value, dice_artifacts: &dyn DiceArtifacts) -> Res error!("Failed to derive the CDI_Leaf_Priv: {e}"); RequestProcessingError::InternalError })?; - let signing_algorithm = iana::Algorithm::EdDSA; - let protected = HeaderBuilder::new().algorithm(signing_algorithm).build(); + let dice_key_alg = cbor_util::dice_cose_key_alg(DICE_COSE_KEY_ALG_VALUE)?; + let protected = HeaderBuilder::new().algorithm(dice_key_alg).build(); let signed_data = CoseSign1Builder::new() .protected(protected) .payload(cbor_util::serialize(payload)?) |