[dice] Read the COSE key algorithm from DICE library
Instead of hard-coding it.
This allows users to use different types of keys underneath as
needed.
Bug: 342333212
Test: atest VmAttestationTest
Change-Id: I2751cbda79c1f8bd7980ac3ddcae6a9a5922b682
diff --git a/libs/cborutil/src/lib.rs b/libs/cborutil/src/lib.rs
index 4d308c1..b218c82 100644
--- a/libs/cborutil/src/lib.rs
+++ b/libs/cborutil/src/lib.rs
@@ -21,7 +21,10 @@
use alloc::string::String;
use alloc::vec::Vec;
use ciborium::value::{Integer, Value};
-use coset::{CborSerializable, CoseError, CoseKey, Label, Result};
+use coset::{
+ iana::{self, EnumI64},
+ CborSerializable, CoseError, CoseKey, Label, Result,
+};
use log::error;
use serde::{de::DeserializeOwned, Serialize};
@@ -132,3 +135,19 @@
.ok_or(CoseError::UnexpectedItem("", "Label not found in CoseKey"))?
.1)
}
+
+/// Converts the provided COSE key algorithm integer to an `iana::Algorithm` used
+/// by DICE chains.
+pub fn dice_cose_key_alg(cose_key_alg: i32) -> Result<iana::Algorithm> {
+ let key_alg = iana::Algorithm::from_i64(cose_key_alg as i64).ok_or_else(|| {
+ error!("Unsupported COSE key algorithm for DICE: {cose_key_alg}");
+ CoseError::UnexpectedItem("COSE key algorithm", "")
+ })?;
+ match key_alg {
+ iana::Algorithm::EdDSA | iana::Algorithm::ES256 | iana::Algorithm::ES384 => Ok(key_alg),
+ _ => {
+ error!("Unsupported COSE key algorithm for DICE: {key_alg:?}");
+ Err(CoseError::UnexpectedItem("-8, -7 or -35", ""))
+ }
+ }
+}
diff --git a/libs/dice/open_dice/Android.bp b/libs/dice/open_dice/Android.bp
index ab3220e..4904672 100644
--- a/libs/dice/open_dice/Android.bp
+++ b/libs/dice/open_dice/Android.bp
@@ -161,6 +161,7 @@
"--allowlist-var=DICE_PUBLIC_KEY_SIZE",
"--allowlist-var=DICE_PRIVATE_KEY_SIZE",
"--allowlist-var=DICE_SIGNATURE_SIZE",
+ "--allowlist-var=DICE_COSE_KEY_ALG_VALUE",
],
}
diff --git a/libs/dice/open_dice/src/lib.rs b/libs/dice/open_dice/src/lib.rs
index d0004b1..085a2cd 100644
--- a/libs/dice/open_dice/src/lib.rs
+++ b/libs/dice/open_dice/src/lib.rs
@@ -40,6 +40,10 @@
PublicKey, Signature, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE, ID_SIZE, PRIVATE_KEY_SEED_SIZE,
};
pub use error::{DiceError, Result};
+// Currently, open-dice library only supports a single signing and verification algorithm.
+// The value of DICE_COSE_KEY_ALG_VALUE depends on the algorithm chosen by the underlying C
+// library at build time. Refer to b/342333212 for more information.
+pub use open_dice_cbor_bindgen::DICE_COSE_KEY_ALG_VALUE;
pub use ops::{
derive_cdi_leaf_priv, generate_certificate, hash, kdf, keypair_from_seed, sign, verify,
};
diff --git a/service_vm/client_vm_csr/Android.bp b/service_vm/client_vm_csr/Android.bp
index 8d738d8..097779f 100644
--- a/service_vm/client_vm_csr/Android.bp
+++ b/service_vm/client_vm_csr/Android.bp
@@ -8,6 +8,7 @@
srcs: ["src/lib.rs"],
rustlibs: [
"libanyhow",
+ "libcbor_util",
"libcoset",
"libdiced_open_dice",
"libopenssl",
diff --git a/service_vm/client_vm_csr/src/lib.rs b/service_vm/client_vm_csr/src/lib.rs
index 0babfff..70152cb 100644
--- a/service_vm/client_vm_csr/src/lib.rs
+++ b/service_vm/client_vm_csr/src/lib.rs
@@ -20,7 +20,9 @@
iana, CborSerializable, CoseKey, CoseKeyBuilder, CoseSign, CoseSignBuilder, CoseSignature,
CoseSignatureBuilder, HeaderBuilder,
};
-use diced_open_dice::{derive_cdi_leaf_priv, sign, DiceArtifacts, PrivateKey};
+use diced_open_dice::{
+ derive_cdi_leaf_priv, sign, DiceArtifacts, PrivateKey, DICE_COSE_KEY_ALG_VALUE,
+};
use openssl::{
bn::{BigNum, BigNumContext},
ec::{EcGroup, EcKey, EcKeyRef},
@@ -91,7 +93,8 @@
cdi_leaf_priv: &PrivateKey,
attestation_key: &EcKeyRef<Private>,
) -> Result<CoseSign> {
- let cdi_leaf_sig_headers = build_signature_headers(iana::Algorithm::EdDSA);
+ let dice_key_alg = cbor_util::dice_cose_key_alg(DICE_COSE_KEY_ALG_VALUE)?;
+ let cdi_leaf_sig_headers = build_signature_headers(dice_key_alg);
let attestation_key_sig_headers = build_signature_headers(ATTESTATION_KEY_ALGO);
let aad = &[];
let signed_data = CoseSignBuilder::new()
diff --git a/service_vm/comm/src/client_vm_csr.cddl b/service_vm/comm/src/client_vm_csr.cddl
index bbc709a..7ddbfa3 100644
--- a/service_vm/comm/src/client_vm_csr.cddl
+++ b/service_vm/comm/src/client_vm_csr.cddl
@@ -33,9 +33,10 @@
; COSE_Signature [RFC9052 s4.1]
COSE_Signature_Dice_Cdi_Leaf = [
- protected: bstr .cbor { 1: AlgorithmEdDSA },
+ protected: bstr .cbor { 1: AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
unprotected: {},
- signature: bstr, ; Ed25519(CDI_Leaf_Priv, SigStruct)
+ signature: bstr, ; PureEd25519(CDI_Leaf_Priv, SigStruct)
+ ; ECDSA(CDI_Leaf_Priv, SigStruct)
]
; COSE_Signature [RFC9052 s4.1]
diff --git a/service_vm/requests/src/rkp.rs b/service_vm/requests/src/rkp.rs
index 4f2262f..aa363e5 100644
--- a/service_vm/requests/src/rkp.rs
+++ b/service_vm/requests/src/rkp.rs
@@ -26,8 +26,10 @@
value::{CanonicalValue, Value},
};
use core::result;
-use coset::{iana, AsCborValue, CoseSign1, CoseSign1Builder, HeaderBuilder};
-use diced_open_dice::{derive_cdi_leaf_priv, kdf, sign, DiceArtifacts, PrivateKey};
+use coset::{AsCborValue, CoseSign1, CoseSign1Builder, HeaderBuilder};
+use diced_open_dice::{
+ derive_cdi_leaf_priv, kdf, sign, DiceArtifacts, PrivateKey, DICE_COSE_KEY_ALG_VALUE,
+};
use log::{debug, error};
use service_vm_comm::{EcdsaP256KeyPair, GenerateCertificateRequestParams, RequestProcessingError};
use zeroize::Zeroizing;
@@ -151,8 +153,8 @@
error!("Failed to derive the CDI_Leaf_Priv: {e}");
RequestProcessingError::InternalError
})?;
- let signing_algorithm = iana::Algorithm::EdDSA;
- let protected = HeaderBuilder::new().algorithm(signing_algorithm).build();
+ let dice_key_alg = cbor_util::dice_cose_key_alg(DICE_COSE_KEY_ALG_VALUE)?;
+ let protected = HeaderBuilder::new().algorithm(dice_key_alg).build();
let signed_data = CoseSign1Builder::new()
.protected(protected)
.payload(cbor_util::serialize(payload)?)