Empty key_ops allows everything We were requiring key_ops tp include the Verify op. But the convention is that an empty (or omitted) key_ops imposes no restrictions. This was causing us to reject a valid DICE chain. Bug: 338745127 Test: atest VmAttestationTestApp Change-Id: Ib394bb8f0dda2f27d866358adbc83f128419b45a

commit: 337612085408c14cb7eb69422082b66e876f5756 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Wed May 08 10:54:52 2024 +0100
committer: Alan Stokes <alanstokes@google.com> Wed May 08 10:54:52 2024 +0100
tree: 9297af8bafff0eb51bbeb5971fae745f1607f665
parent: dfe7570604523bfff7970c7c7d4e4ffe5b76f59d [diff]
diff --git a/service_vm/requests/src/dice.rs b/service_vm/requests/src/dice.rs
index df29676..1fa02a1 100644
--- a/service_vm/requests/src/dice.rs
+++ b/service_vm/requests/src/dice.rs

@@ -210,7 +210,12 @@
     type Error = RequestProcessingError;
 
     fn try_from(key: CoseKey) -> Result<Self> {
-        if !key.key_ops.contains(&KeyOperation::Assigned(iana::KeyOperation::Verify)) {
+        // The public key must allow use for verification.
+        // Note that an empty key_ops set implicitly allows everything.
+        let key_ops = &key.key_ops;
+        if !key_ops.is_empty()
+            && !key_ops.contains(&KeyOperation::Assigned(iana::KeyOperation::Verify))
+        {
             error!("Public key does not support verification");
             return Err(RequestProcessingError::InvalidDiceChain);
         }
commit	337612085408c14cb7eb69422082b66e876f5756	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Wed May 08 10:54:52 2024 +0100
committer	Alan Stokes <alanstokes@google.com>	Wed May 08 10:54:52 2024 +0100
tree	9297af8bafff0eb51bbeb5971fae745f1607f665
parent	dfe7570604523bfff7970c7c7d4e4ffe5b76f59d [diff]