Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / ff3811104599608ef606b6a530d718ef6f411c8e^! / . / libs
commitff3811104599608ef606b6a530d718ef6f411c8e[log] [tgz]
authorAlice Wang <aliceywang@google.com>Wed May 22 12:14:39 2024 +0000
committerAlice Wang <aliceywang@google.com>Thu May 23 10:54:12 2024 +0000
tree4675a248530ef3e94816109e4057aa628e94f2d3
parentd47ad8b61add656be0c6d3d59ec4283c35949e00 [diff]
[dice] Read the COSE key algorithm from DICE library

Instead of hard-coding it.

This allows users to use different types of keys underneath as
needed.

Bug: 342333212
Test: atest VmAttestationTest
Change-Id: I2751cbda79c1f8bd7980ac3ddcae6a9a5922b682

diff --git a/libs/cborutil/src/lib.rs b/libs/cborutil/src/lib.rs
index 4d308c1..b218c82 100644
--- a/libs/cborutil/src/lib.rs
+++ b/libs/cborutil/src/lib.rs

@@ -21,7 +21,10 @@
 use alloc::string::String;
 use alloc::vec::Vec;
 use ciborium::value::{Integer, Value};
-use coset::{CborSerializable, CoseError, CoseKey, Label, Result};
+use coset::{
+    iana::{self, EnumI64},
+    CborSerializable, CoseError, CoseKey, Label, Result,
+};
 use log::error;
 use serde::{de::DeserializeOwned, Serialize};
 
@@ -132,3 +135,19 @@
         .ok_or(CoseError::UnexpectedItem("", "Label not found in CoseKey"))?
         .1)
 }
+
+/// Converts the provided COSE key algorithm integer to an `iana::Algorithm` used
+/// by DICE chains.
+pub fn dice_cose_key_alg(cose_key_alg: i32) -> Result<iana::Algorithm> {
+    let key_alg = iana::Algorithm::from_i64(cose_key_alg as i64).ok_or_else(|| {
+        error!("Unsupported COSE key algorithm for DICE: {cose_key_alg}");
+        CoseError::UnexpectedItem("COSE key algorithm", "")
+    })?;
+    match key_alg {
+        iana::Algorithm::EdDSA | iana::Algorithm::ES256 | iana::Algorithm::ES384 => Ok(key_alg),
+        _ => {
+            error!("Unsupported COSE key algorithm for DICE: {key_alg:?}");
+            Err(CoseError::UnexpectedItem("-8, -7 or -35", ""))
+        }
+    }
+}

diff --git a/libs/dice/open_dice/Android.bp b/libs/dice/open_dice/Android.bp
index ab3220e..4904672 100644
--- a/libs/dice/open_dice/Android.bp
+++ b/libs/dice/open_dice/Android.bp

@@ -161,6 +161,7 @@
         "--allowlist-var=DICE_PUBLIC_KEY_SIZE",
         "--allowlist-var=DICE_PRIVATE_KEY_SIZE",
         "--allowlist-var=DICE_SIGNATURE_SIZE",
+        "--allowlist-var=DICE_COSE_KEY_ALG_VALUE",
     ],
 }
 

diff --git a/libs/dice/open_dice/src/lib.rs b/libs/dice/open_dice/src/lib.rs
index d0004b1..085a2cd 100644
--- a/libs/dice/open_dice/src/lib.rs
+++ b/libs/dice/open_dice/src/lib.rs

@@ -40,6 +40,10 @@
     PublicKey, Signature, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE, ID_SIZE, PRIVATE_KEY_SEED_SIZE,
 };
 pub use error::{DiceError, Result};
+// Currently, open-dice library only supports a single signing and verification algorithm.
+// The value of DICE_COSE_KEY_ALG_VALUE depends on the algorithm chosen by the underlying C
+// library at build time. Refer to b/342333212 for more information.
+pub use open_dice_cbor_bindgen::DICE_COSE_KEY_ALG_VALUE;
 pub use ops::{
     derive_cdi_leaf_priv, generate_certificate, hash, kdf, keypair_from_seed, sign, verify,
 };