[cbor] Separate cbor conversion functions in an independent lib
This allows callers from both std and nostd environment to
convert to/from CBOR-encoded data.
Bug: 303807447
Test: atest libservice_vm_requests.test
Change-Id: Ib2052f28779290165941cb2cf7ecc9ca566472af
diff --git a/service_vm/requests/Android.bp b/service_vm/requests/Android.bp
index f85064a..ecede8b 100644
--- a/service_vm/requests/Android.bp
+++ b/service_vm/requests/Android.bp
@@ -18,6 +18,7 @@
rustlibs: [
"libbssl_avf_error_nostd",
"libbssl_avf_nostd",
+ "libcbor_util_nostd",
"libciborium_nostd",
"libcoset_nostd",
"libdiced_open_dice_nostd",
diff --git a/service_vm/requests/src/cbor.rs b/service_vm/requests/src/cbor.rs
deleted file mode 100644
index 36492e5..0000000
--- a/service_vm/requests/src/cbor.rs
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Utility functions for CBOR serialization/deserialization.
-
-use alloc::vec::Vec;
-use coset::{CoseError, Result};
-use serde::{de::DeserializeOwned, Serialize};
-
-/// Serializes the given data to a CBOR-encoded byte vector.
-pub(crate) fn serialize<T: ?Sized + Serialize>(v: &T) -> Result<Vec<u8>> {
- let mut data = Vec::new();
- ciborium::into_writer(v, &mut data)?;
- Ok(data)
-}
-
-/// Deserializes the given type from a CBOR-encoded byte slice, failing if any extra
-/// data remains after the type has been read.
-pub(crate) fn deserialize<T: DeserializeOwned>(mut data: &[u8]) -> Result<T> {
- let res = ciborium::from_reader(&mut data)?;
- if data.is_empty() {
- Ok(res)
- } else {
- Err(CoseError::ExtraneousData)
- }
-}
diff --git a/service_vm/requests/src/keyblob.rs b/service_vm/requests/src/keyblob.rs
index a714edd..456c879 100644
--- a/service_vm/requests/src/keyblob.rs
+++ b/service_vm/requests/src/keyblob.rs
@@ -14,7 +14,6 @@
//! Handles the encryption and decryption of the key blob.
-use crate::cbor;
use alloc::vec;
use alloc::vec::Vec;
use bssl_avf::{hkdf, rand_bytes, Aead, AeadContext, Digester, AES_GCM_NONCE_LENGTH};
@@ -70,16 +69,6 @@
Self::V1(blob) => blob.decrypt_private_key(kek_secret),
}
}
-
- // TODO(b/241428146): This function will be used once the retrieval mechanism is available.
- #[cfg(test)]
- pub(crate) fn from_cbor_slice(slice: &[u8]) -> coset::Result<Self> {
- cbor::deserialize(slice)
- }
-
- pub(crate) fn to_cbor_vec(&self) -> coset::Result<Vec<u8>> {
- cbor::serialize(&self)
- }
}
impl EncryptedKeyBlobV1 {
@@ -136,8 +125,9 @@
#[test]
fn decrypting_keyblob_succeeds_with_the_same_kek() -> Result<()> {
- let encrypted_key_blob = EncryptedKeyBlob::new(&TEST_KEY, &TEST_SECRET1)?.to_cbor_vec()?;
- let encrypted_key_blob = EncryptedKeyBlob::from_cbor_slice(&encrypted_key_blob)?;
+ let encrypted_key_blob =
+ cbor_util::serialize(&EncryptedKeyBlob::new(&TEST_KEY, &TEST_SECRET1)?)?;
+ let encrypted_key_blob: EncryptedKeyBlob = cbor_util::deserialize(&encrypted_key_blob)?;
let decrypted_key = encrypted_key_blob.decrypt_private_key(&TEST_SECRET1)?;
assert_eq!(TEST_KEY, decrypted_key.as_slice());
@@ -146,8 +136,9 @@
#[test]
fn decrypting_keyblob_fails_with_a_different_kek() -> Result<()> {
- let encrypted_key_blob = EncryptedKeyBlob::new(&TEST_KEY, &TEST_SECRET1)?.to_cbor_vec()?;
- let encrypted_key_blob = EncryptedKeyBlob::from_cbor_slice(&encrypted_key_blob)?;
+ let encrypted_key_blob =
+ cbor_util::serialize(&EncryptedKeyBlob::new(&TEST_KEY, &TEST_SECRET1)?)?;
+ let encrypted_key_blob: EncryptedKeyBlob = cbor_util::deserialize(&encrypted_key_blob)?;
let err = encrypted_key_blob.decrypt_private_key(&TEST_SECRET2).unwrap_err();
let expected_err: RequestProcessingError =
diff --git a/service_vm/requests/src/lib.rs b/service_vm/requests/src/lib.rs
index 6fa6e0b..e3c5794 100644
--- a/service_vm/requests/src/lib.rs
+++ b/service_vm/requests/src/lib.rs
@@ -19,7 +19,6 @@
extern crate alloc;
mod api;
-mod cbor;
mod keyblob;
mod pub_key;
mod rkp;
diff --git a/service_vm/requests/src/rkp.rs b/service_vm/requests/src/rkp.rs
index 933737c..8d7d771 100644
--- a/service_vm/requests/src/rkp.rs
+++ b/service_vm/requests/src/rkp.rs
@@ -15,7 +15,6 @@
//! This module contains functions related to the attestation of the
//! service VM via the RKP (Remote Key Provisioning) server.
-use crate::cbor;
use crate::keyblob::EncryptedKeyBlob;
use crate::pub_key::{build_maced_public_key, validate_public_key};
use alloc::string::String;
@@ -51,7 +50,8 @@
let key_blob =
EncryptedKeyBlob::new(ec_key.private_key()?.as_slice(), dice_artifacts.cdi_seal())?;
- let key_pair = EcdsaP256KeyPair { maced_public_key, key_blob: key_blob.to_cbor_vec()? };
+ let key_pair =
+ EcdsaP256KeyPair { maced_public_key, key_blob: cbor_util::serialize(&key_blob)? };
Ok(key_pair)
}
@@ -81,7 +81,7 @@
// TODO(b/299256925): Add device info in CBOR format here.
Value::Array(public_keys),
])?;
- let csr_payload = cbor::serialize(&csr_payload)?;
+ let csr_payload = cbor_util::serialize(&csr_payload)?;
// Builds `SignedData`.
let signed_data_payload =
@@ -93,14 +93,14 @@
// Check http://b/301574013#comment3 for more information.
let uds_certs = Value::Map(Vec::new());
let dice_cert_chain = dice_artifacts.bcc().ok_or(RequestProcessingError::MissingDiceChain)?;
- let dice_cert_chain: Value = cbor::deserialize(dice_cert_chain)?;
+ let dice_cert_chain: Value = cbor_util::deserialize(dice_cert_chain)?;
let auth_req = cbor!([
Value::Integer(AUTH_REQ_SCHEMA_V1.into()),
uds_certs,
dice_cert_chain,
signed_data,
])?;
- Ok(cbor::serialize(&auth_req)?)
+ Ok(cbor_util::serialize(&auth_req)?)
}
fn derive_hmac_key(dice_artifacts: &dyn DiceArtifacts) -> Result<Zeroizing<[u8; HMAC_KEY_LENGTH]>> {
@@ -122,7 +122,7 @@
let protected = HeaderBuilder::new().algorithm(signing_algorithm).build();
let signed_data = CoseSign1Builder::new()
.protected(protected)
- .payload(cbor::serialize(payload)?)
+ .payload(cbor_util::serialize(payload)?)
.try_create_signature(&[], |message| sign_message(message, &cdi_leaf_priv))?
.build();
Ok(signed_data)