[dice] Read the COSE key algorithm from DICE library
Instead of hard-coding it.
This allows users to use different types of keys underneath as
needed.
Bug: 342333212
Test: atest VmAttestationTest
Change-Id: I2751cbda79c1f8bd7980ac3ddcae6a9a5922b682
diff --git a/service_vm/client_vm_csr/Android.bp b/service_vm/client_vm_csr/Android.bp
index 8d738d8..097779f 100644
--- a/service_vm/client_vm_csr/Android.bp
+++ b/service_vm/client_vm_csr/Android.bp
@@ -8,6 +8,7 @@
srcs: ["src/lib.rs"],
rustlibs: [
"libanyhow",
+ "libcbor_util",
"libcoset",
"libdiced_open_dice",
"libopenssl",
diff --git a/service_vm/client_vm_csr/src/lib.rs b/service_vm/client_vm_csr/src/lib.rs
index 0babfff..70152cb 100644
--- a/service_vm/client_vm_csr/src/lib.rs
+++ b/service_vm/client_vm_csr/src/lib.rs
@@ -20,7 +20,9 @@
iana, CborSerializable, CoseKey, CoseKeyBuilder, CoseSign, CoseSignBuilder, CoseSignature,
CoseSignatureBuilder, HeaderBuilder,
};
-use diced_open_dice::{derive_cdi_leaf_priv, sign, DiceArtifacts, PrivateKey};
+use diced_open_dice::{
+ derive_cdi_leaf_priv, sign, DiceArtifacts, PrivateKey, DICE_COSE_KEY_ALG_VALUE,
+};
use openssl::{
bn::{BigNum, BigNumContext},
ec::{EcGroup, EcKey, EcKeyRef},
@@ -91,7 +93,8 @@
cdi_leaf_priv: &PrivateKey,
attestation_key: &EcKeyRef<Private>,
) -> Result<CoseSign> {
- let cdi_leaf_sig_headers = build_signature_headers(iana::Algorithm::EdDSA);
+ let dice_key_alg = cbor_util::dice_cose_key_alg(DICE_COSE_KEY_ALG_VALUE)?;
+ let cdi_leaf_sig_headers = build_signature_headers(dice_key_alg);
let attestation_key_sig_headers = build_signature_headers(ATTESTATION_KEY_ALGO);
let aad = &[];
let signed_data = CoseSignBuilder::new()
diff --git a/service_vm/comm/src/client_vm_csr.cddl b/service_vm/comm/src/client_vm_csr.cddl
index bbc709a..7ddbfa3 100644
--- a/service_vm/comm/src/client_vm_csr.cddl
+++ b/service_vm/comm/src/client_vm_csr.cddl
@@ -33,9 +33,10 @@
; COSE_Signature [RFC9052 s4.1]
COSE_Signature_Dice_Cdi_Leaf = [
- protected: bstr .cbor { 1: AlgorithmEdDSA },
+ protected: bstr .cbor { 1: AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
unprotected: {},
- signature: bstr, ; Ed25519(CDI_Leaf_Priv, SigStruct)
+ signature: bstr, ; PureEd25519(CDI_Leaf_Priv, SigStruct)
+ ; ECDSA(CDI_Leaf_Priv, SigStruct)
]
; COSE_Signature [RFC9052 s4.1]
diff --git a/service_vm/requests/src/rkp.rs b/service_vm/requests/src/rkp.rs
index 4f2262f..aa363e5 100644
--- a/service_vm/requests/src/rkp.rs
+++ b/service_vm/requests/src/rkp.rs
@@ -26,8 +26,10 @@
value::{CanonicalValue, Value},
};
use core::result;
-use coset::{iana, AsCborValue, CoseSign1, CoseSign1Builder, HeaderBuilder};
-use diced_open_dice::{derive_cdi_leaf_priv, kdf, sign, DiceArtifacts, PrivateKey};
+use coset::{AsCborValue, CoseSign1, CoseSign1Builder, HeaderBuilder};
+use diced_open_dice::{
+ derive_cdi_leaf_priv, kdf, sign, DiceArtifacts, PrivateKey, DICE_COSE_KEY_ALG_VALUE,
+};
use log::{debug, error};
use service_vm_comm::{EcdsaP256KeyPair, GenerateCertificateRequestParams, RequestProcessingError};
use zeroize::Zeroizing;
@@ -151,8 +153,8 @@
error!("Failed to derive the CDI_Leaf_Priv: {e}");
RequestProcessingError::InternalError
})?;
- let signing_algorithm = iana::Algorithm::EdDSA;
- let protected = HeaderBuilder::new().algorithm(signing_algorithm).build();
+ let dice_key_alg = cbor_util::dice_cose_key_alg(DICE_COSE_KEY_ALG_VALUE)?;
+ let protected = HeaderBuilder::new().algorithm(dice_key_alg).build();
let signed_data = CoseSign1Builder::new()
.protected(protected)
.payload(cbor_util::serialize(payload)?)