Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 20b8ebc461cff0aea18efd31aa9c37cb031a64e3^! / . / service_vm / comm
commit20b8ebc461cff0aea18efd31aa9c37cb031a64e3[log] [tgz]
authorAlice Wang <aliceywang@google.com>Fri Nov 17 09:54:47 2023 +0000
committerAlice Wang <aliceywang@google.com>Fri Nov 24 14:09:32 2023 +0000
tree1cf3632d5b4f7a435b6f02d0f11cd959fdde577c
parent4c6c558c3caa0076c5c7df9457e6b252dca5c205 [diff]
[attestation] Build the certificate output for attestation

This cl builds the certificate output for the client VM in
pVM remote attestation. The certificate includes the subject
public key extracted from the CSR of the client VM and is
signed by the remotely provisioned key obtained from RKPD.

However, certain fields such as VM information in the
extension are currently absent and will be incorporated in
future changes.

Bug: 311359366
Bug: 309441500
Test: atest rialto_test
Change-Id: Ie9acf72b6158f371c70fa303932aa2b6bf9cfab4

diff --git a/service_vm/comm/Android.bp b/service_vm/comm/Android.bp
index 6e05587..bdfc099 100644
--- a/service_vm/comm/Android.bp
+++ b/service_vm/comm/Android.bp

@@ -24,6 +24,7 @@
         "libbssl_avf_error_nostd",
         "libciborium_nostd",
         "libcoset_nostd",
+        "libder_nostd",
         "liblog_rust_nostd",
         "libserde_nostd",
     ],

diff --git a/service_vm/comm/src/message.rs b/service_vm/comm/src/message.rs
index 6dd0ccd..87c8378 100644
--- a/service_vm/comm/src/message.rs
+++ b/service_vm/comm/src/message.rs

@@ -66,6 +66,13 @@
 
     /// The key blob retrieved from RKPD by virtualizationservice.
     pub remotely_provisioned_key_blob: Vec<u8>,
+
+    /// The leaf certificate of the certificate chain retrieved from RKPD by
+    /// virtualizationservice.
+    ///
+    /// This certificate is a DER-encoded X.509 certificate that includes the remotely
+    /// provisioned public key.
+    pub remotely_provisioned_cert: Vec<u8>,
 }
 
 /// Represents a response to a request sent to the service VM.
@@ -120,6 +127,9 @@
 
     /// The requested operation has not been implemented.
     OperationUnimplemented,
+
+    /// An error happened during the DER encoding/decoding.
+    DerError,
 }
 
 impl fmt::Display for RequestProcessingError {
@@ -142,6 +152,9 @@
             Self::OperationUnimplemented => {
                 write!(f, "The requested operation has not been implemented")
             }
+            Self::DerError => {
+                write!(f, "An error happened during the DER encoding/decoding")
+            }
         }
     }
 }
@@ -166,6 +179,14 @@
     }
 }
 
+#[cfg(not(feature = "std"))]
+impl From<der::Error> for RequestProcessingError {
+    fn from(e: der::Error) -> Self {
+        error!("DER encoding/decoding error: {e}");
+        Self::DerError
+    }
+}
+
 /// Represents the params passed to GenerateCertificateRequest
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct GenerateCertificateRequestParams {