Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / ff5592d5164a8f7ab1a992a254186f6c46cdeaf6^! / . / rialto / src / requests
commitff5592d5164a8f7ab1a992a254186f6c46cdeaf6[log] [tgz]
authorAlice Wang <aliceywang@google.com>Wed Sep 13 15:27:39 2023 +0000
committerAlice Wang <aliceywang@google.com>Fri Sep 22 10:59:42 2023 +0000
tree3228ad02f66316ce0ce0261959f587a03c8827b6
parenta78d3f0198c89bc29bd8f33b8e25a10b19008ee2 [diff]
[rkp] Verify the MAC of the public keys to sign in RKP HAL

Bug: 299256925
Test: atest rialto_test
Change-Id: I9d7ff281166e5acbe47936fa103cbe6c5fa2c2da

diff --git a/rialto/src/requests/pub_key.rs b/rialto/src/requests/pub_key.rs
index 84373ce..b45c117 100644
--- a/rialto/src/requests/pub_key.rs
+++ b/rialto/src/requests/pub_key.rs

@@ -19,11 +19,27 @@
 use bssl_ffi::EVP_sha256;
 use bssl_ffi::HMAC;
 use core::result;
-use coset::{iana, CborSerializable, CoseKey, CoseMac0Builder, HeaderBuilder};
+use coset::{iana, CborSerializable, CoseKey, CoseMac0, CoseMac0Builder, HeaderBuilder};
 use service_vm_comm::{BoringSSLApiName, RequestProcessingError};
 
 type Result<T> = result::Result<T, RequestProcessingError>;
 
+/// Verifies the MAC of the given public key.
+/// TODO(b/299256925): Return the validated public key.
+pub fn validate_public_key(maced_public_key: &[u8], hmac_key: &[u8]) -> Result<()> {
+    let cose_mac = CoseMac0::from_slice(maced_public_key)?;
+    cose_mac.verify_tag(&[], |tag, data| verify_tag(tag, data, hmac_key))
+}
+
+fn verify_tag(tag: &[u8], data: &[u8], hmac_key: &[u8]) -> Result<()> {
+    let computed_tag = hmac_sha256(hmac_key, data)?;
+    if tag == computed_tag {
+        Ok(())
+    } else {
+        Err(RequestProcessingError::InvalidMac)
+    }
+}
+
 /// Returns the MACed public key.
 pub fn build_maced_public_key(public_key: CoseKey, hmac_key: &[u8]) -> Result<Vec<u8>> {
     const ALGO: iana::Algorithm = iana::Algorithm::HMAC_256_256;

diff --git a/rialto/src/requests/rkp.rs b/rialto/src/requests/rkp.rs
index 58e054f..9b3e569 100644
--- a/rialto/src/requests/rkp.rs
+++ b/rialto/src/requests/rkp.rs

@@ -16,7 +16,7 @@
 //! service VM via the RKP (Remote Key Provisioning) server.
 
 use super::ec_key::EcKey;
-use super::pub_key::build_maced_public_key;
+use super::pub_key::{build_maced_public_key, validate_public_key};
 use alloc::vec::Vec;
 use core::result;
 use diced_open_dice::DiceArtifacts;
@@ -40,9 +40,14 @@
 }
 
 pub(super) fn generate_certificate_request(
-    _params: GenerateCertificateRequestParams,
+    params: GenerateCertificateRequestParams,
     _dice_artifacts: &dyn DiceArtifacts,
 ) -> Result<Vec<u8>> {
+    // TODO(b/300590857): Derive the HMAC key from the DICE sealing CDI.
+    let hmac_key = [];
+    for key_to_sign in params.keys_to_sign {
+        validate_public_key(&key_to_sign, &hmac_key)?;
+    }
     // TODO(b/299256925): Generate the certificate request
     Ok(Vec::new())
 }