Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 9bd9809f3cf44b4793a8a8de1d125c9b8bb340e4^! / . / service_vm
commit9bd9809f3cf44b4793a8a8de1d125c9b8bb340e4[log] [tgz]
authorAlice Wang <aliceywang@google.com>Fri Nov 10 14:08:12 2023 +0000
committerAlice Wang <aliceywang@google.com>Mon Nov 20 16:38:55 2023 +0000
treeef36b6c304a42bd297f1e92d3cb55c9fa8d93bd6
parentf0ecad523d9058cb8684b83d63e973252fe86acb [diff]
[attestation] Build the BoringSSL EcKey from the COSE public key

Bug: 309440321
Test: atest rialto_test
Change-Id: I674d8edf2d806e7455b836b7a50a776ac75bc800

diff --git a/service_vm/requests/src/client_vm.rs b/service_vm/requests/src/client_vm.rs
index 74c26d3..b1fd03d 100644
--- a/service_vm/requests/src/client_vm.rs
+++ b/service_vm/requests/src/client_vm.rs

@@ -22,17 +22,34 @@
 use coset::{CborSerializable, CoseSign};
 use diced_open_dice::DiceArtifacts;
 use log::error;
-use service_vm_comm::{ClientVmAttestationParams, Csr, RequestProcessingError};
+use service_vm_comm::{ClientVmAttestationParams, Csr, CsrPayload, RequestProcessingError};
 
 type Result<T> = result::Result<T, RequestProcessingError>;
 
+const ATTESTATION_KEY_SIGNATURE_INDEX: usize = 1;
+
 pub(super) fn request_attestation(
     params: ClientVmAttestationParams,
     dice_artifacts: &dyn DiceArtifacts,
 ) -> Result<Vec<u8>> {
     let csr = Csr::from_cbor_slice(&params.csr)?;
-    let _cose_sign = CoseSign::from_slice(&csr.signed_csr_payload)?;
-    // TODO(b/309440321): Verify the signatures in the `_cose_sign`.
+    let cose_sign = CoseSign::from_slice(&csr.signed_csr_payload)?;
+    let csr_payload = cose_sign.payload.as_ref().ok_or_else(|| {
+        error!("No CsrPayload found in the CSR");
+        RequestProcessingError::InternalError
+    })?;
+    let csr_payload = CsrPayload::from_cbor_slice(csr_payload)?;
+
+    // AAD is empty as defined in service_vm/comm/client_vm_csr.cddl.
+    let aad = &[];
+
+    // TODO(b/310931749): Verify the first signature with CDI_Leaf_Pub of
+    // the DICE chain in `cose_sign`.
+
+    let ec_public_key = EcKey::from_cose_public_key(&csr_payload.public_key)?;
+    cose_sign.verify_signature(ATTESTATION_KEY_SIGNATURE_INDEX, aad, |signature, message| {
+        ec_public_key.ecdsa_verify(signature, message)
+    })?;
 
     // TODO(b/278717513): Compare client VM's DICE chain in the `csr` up to pvmfw
     // cert with RKP VM's DICE chain.

diff --git a/service_vm/requests/src/rkp.rs b/service_vm/requests/src/rkp.rs
index c2c13b3..2c01451 100644
--- a/service_vm/requests/src/rkp.rs
+++ b/service_vm/requests/src/rkp.rs

@@ -44,7 +44,8 @@
     dice_artifacts: &dyn DiceArtifacts,
 ) -> Result<EcdsaP256KeyPair> {
     let hmac_key = derive_hmac_key(dice_artifacts)?;
-    let ec_key = EcKey::new_p256()?;
+    let mut ec_key = EcKey::new_p256()?;
+    ec_key.generate_key()?;
 
     let maced_public_key = build_maced_public_key(ec_key.cose_public_key()?, hmac_key.as_ref())?;
     let key_blob =