Rewrite key management & signing

Extend compos_helper to support signing, use it from CompOS.

Expose the public key from the VM. Rename compos_verify_key to
compos_verify and get it to verify the signature against the current
instance's public key.

Also move DICE access to compos_key_main. There's no use having it in
the library - neither the tests nor compos_verify can use it - and it
complicates the build rules.

There's a lot more that can be deleted, but I'll do that in a
follow-up; this is big enough already.

Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I2d71f68a595d5ddadb2e7b16937fa6855f5db0ab
diff --git a/compos/composd/src/service.rs b/compos/composd/src/service.rs
index f4121e7..8e5586e 100644
--- a/compos/composd/src/service.rs
+++ b/compos/composd/src/service.rs
@@ -30,6 +30,7 @@
 use anyhow::{Context, Result};
 use compos_aidl_interface::aidl::com::android::compos::ICompOsService::CompilationMode::CompilationMode;
 use compos_common::binder::to_binder_result;
+use compos_common::odrefresh::{PENDING_ARTIFACTS_SUBDIR, TEST_ARTIFACTS_SUBDIR};
 use rustutils::{users::AID_ROOT, users::AID_SYSTEM};
 use std::sync::Arc;
 
@@ -72,7 +73,7 @@
         // TODO: Try to start the current instance with staged APEXes to see if it works?
         let comp_os = self.instance_manager.start_pending_instance().context("Starting CompOS")?;
 
-        let target_dir_name = "compos-pending".to_owned();
+        let target_dir_name = PENDING_ARTIFACTS_SUBDIR.to_owned();
         let task = OdrefreshTask::start(
             comp_os,
             CompilationMode::NORMAL_COMPILE,
@@ -89,7 +90,7 @@
     ) -> Result<Strong<dyn ICompilationTask>> {
         let comp_os = self.instance_manager.start_test_instance().context("Starting CompOS")?;
 
-        let target_dir_name = "test-artifacts".to_owned();
+        let target_dir_name = TEST_ARTIFACTS_SUBDIR.to_owned();
         let task = OdrefreshTask::start(
             comp_os,
             CompilationMode::TEST_COMPILE,