[dice] Move hash function to the library libdiced_open_dice
This is part of the project of merging the two existing dice
wrapper libraries into one library. The upstream library
libdiced_open_dice will be the merged library.
Test: atest diced_utils_test diced_sample_inputs_test \
diced_test diced_vendor_test diced_open_dice_cbor_test
Test: m pvmfw_img microdroid_manager && atest \
microdroid_manager_test
Bug: 267575445
Change-Id: I43011a5767b5d8547df20290a61c5ff95863980d
diff --git a/diced/open_dice/Android.bp b/diced/open_dice/Android.bp
index e581085..3fd447b 100644
--- a/diced/open_dice/Android.bp
+++ b/diced/open_dice/Android.bp
@@ -23,6 +23,10 @@
"libopen_dice_bcc_bindgen_nostd",
"libopen_dice_cbor_bindgen_nostd",
],
+ whole_static_libs: [
+ "libopen_dice_cbor",
+ "libcrypto_baremetal",
+ ],
}
rust_library {
@@ -40,4 +44,6 @@
whole_static_libs: [
"libopen_dice_bcc",
],
-}
\ No newline at end of file
+}
+
+// TODO(b/267575445): Add integration tests to check the exposed API
diff --git a/diced/open_dice/src/lib.rs b/diced/open_dice/src/lib.rs
index 0723b2d..d1bd9e4 100644
--- a/diced/open_dice/src/lib.rs
+++ b/diced/open_dice/src/lib.rs
@@ -23,6 +23,7 @@
mod bcc;
mod dice;
mod error;
+mod ops;
#[cfg(feature = "std")]
mod retry;
@@ -32,5 +33,6 @@
HIDDEN_SIZE,
};
pub use error::{check_result, DiceError, Result};
+pub use ops::hash;
#[cfg(feature = "std")]
pub use retry::retry_bcc_format_config_descriptor;
diff --git a/diced/open_dice/src/ops.rs b/diced/open_dice/src/ops.rs
new file mode 100644
index 0000000..ca0e341
--- /dev/null
+++ b/diced/open_dice/src/ops.rs
@@ -0,0 +1,38 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module mirrors the content in open-dice/include/dice/ops.h
+//! It contains the set of functions that implement various operations that the
+//! main DICE functions depend on.
+
+use crate::dice::{Hash, HASH_SIZE};
+use crate::error::{check_result, Result};
+use open_dice_cbor_bindgen::DiceHash;
+use std::ptr;
+
+/// Hashes the provided input using DICE's hash function `DiceHash`.
+pub fn hash(input: &[u8]) -> Result<Hash> {
+ let mut output: Hash = [0; HASH_SIZE];
+ // SAFETY: DiceHash takes a sized input buffer and writes to a constant-sized output buffer.
+ // The first argument context is not used in this function.
+ check_result(unsafe {
+ DiceHash(
+ ptr::null_mut(), // context
+ input.as_ptr(),
+ input.len(),
+ output.as_mut_ptr(),
+ )
+ })?;
+ Ok(output)
+}
diff --git a/diced/open_dice_cbor/lib.rs b/diced/open_dice_cbor/lib.rs
index 30ab760..a5eb41c 100644
--- a/diced/open_dice_cbor/lib.rs
+++ b/diced/open_dice_cbor/lib.rs
@@ -32,15 +32,15 @@
//! ```
pub use diced_open_dice::{
- check_result, retry_bcc_format_config_descriptor, Config, DiceError, Hash, Hidden, InputValues,
- Result, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
+ check_result, hash, retry_bcc_format_config_descriptor, Config, DiceError, Hash, Hidden,
+ InputValues, Result, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
};
use keystore2_crypto::ZVec;
use open_dice_bcc_bindgen::BccMainFlow;
pub use open_dice_cbor_bindgen::DiceMode;
use open_dice_cbor_bindgen::{
- DiceDeriveCdiCertificateId, DiceDeriveCdiPrivateKeySeed, DiceGenerateCertificate, DiceHash,
- DiceKdf, DiceKeypairFromSeed, DiceMainFlow, DiceSign, DiceVerify, DICE_ID_SIZE,
+ DiceDeriveCdiCertificateId, DiceDeriveCdiPrivateKeySeed, DiceGenerateCertificate, DiceKdf,
+ DiceKeypairFromSeed, DiceMainFlow, DiceSign, DiceVerify, DICE_ID_SIZE,
DICE_PRIVATE_KEY_SEED_SIZE, DICE_PRIVATE_KEY_SIZE, DICE_PUBLIC_KEY_SIZE, DICE_SIGNATURE_SIZE,
};
use std::ffi::c_void;
@@ -256,24 +256,6 @@
Ok((next_attest, next_seal, cert))
}
- /// Safe wrapper around open-dice DiceHash, see open dice
- /// documentation for details.
- fn hash(&mut self, input: &[u8]) -> Result<Vec<u8>> {
- let mut output: Vec<u8> = vec![0; HASH_SIZE];
-
- // SAFETY:
- // * The first context argument may be NULL and is unused by the wrapped
- // implementation.
- // * The second argument and the third argument are the pointer to and length of the given
- // input buffer respectively.
- // * The fourth argument must be a pointer to a mutable buffer of size HASH_SIZE
- // which is fulfilled by the allocation above.
- check_result(unsafe {
- DiceHash(self.get_context(), input.as_ptr(), input.len(), output.as_mut_ptr())
- })?;
- Ok(output)
- }
-
/// Safe wrapper around open-dice DiceKdf, see open dice
/// documentation for details.
fn kdf(&mut self, length: usize, input_key: &[u8], salt: &[u8], info: &[u8]) -> Result<ZVec> {
@@ -535,7 +517,7 @@
#[test]
fn hash_derive_sign_verify() {
let mut ctx = OpenDiceCborContext::new();
- let seed = ctx.hash("MySeedString".as_bytes()).unwrap();
+ let seed = diced_open_dice::hash("MySeedString".as_bytes()).unwrap();
assert_eq!(seed, SEED_TEST_VECTOR);
let cdi_attest = &seed[..CDI_SIZE];
assert_eq!(cdi_attest, CDI_ATTEST_TEST_VECTOR);
diff --git a/diced/src/hal_node.rs b/diced/src/hal_node.rs
index 453b12e..12be4ae 100644
--- a/diced/src/hal_node.rs
+++ b/diced/src/hal_node.rs
@@ -375,22 +375,15 @@
config_name: &CStr,
authority: &str,
) -> Result<BinderInputValues> {
- let mut dice_ctx = dice::OpenDiceCborContext::new();
Ok(BinderInputValues {
- codeHash: dice_ctx
- .hash(code.as_bytes())
- .context("In make_input_values: code hash failed.")?
- .as_slice()
- .try_into()?,
+ codeHash: dice::hash(code.as_bytes())
+ .context("In make_input_values: code hash failed.")?,
config: BinderConfig {
desc: dice::retry_bcc_format_config_descriptor(Some(config_name), None, true)
.context("In make_input_values: Failed to format config descriptor.")?,
},
- authorityHash: dice_ctx
- .hash(authority.as_bytes())
- .context("In make_input_values: authority hash failed.")?
- .as_slice()
- .try_into()?,
+ authorityHash: dice::hash(authority.as_bytes())
+ .context("In make_input_values: authority hash failed.")?,
authorityDescriptor: None,
mode: BinderMode::NORMAL,
hidden: [0; dice::HIDDEN_SIZE],