[dice] Move KDF related functions to libdiced_open_dice
Bug: 267575445
Test: atest diced_utils_test diced_sample_inputs_test \
diced_test diced_vendor_test diced_open_dice_cbor_test \
libdiced_open_dice_nostd.integration_test \
libdiced_open_dice.integration_test diced_open_dice_cbor_test
Change-Id: I1e2439bd3770b5cec6166fca698b6017a263f029
diff --git a/diced/open_dice/src/dice.rs b/diced/open_dice/src/dice.rs
index a4615d3..014d5fd 100644
--- a/diced/open_dice/src/dice.rs
+++ b/diced/open_dice/src/dice.rs
@@ -15,10 +15,12 @@
//! Structs and functions about the types used in DICE.
//! This module mirrors the content in open-dice/include/dice/dice.h
+use crate::error::{check_result, Result};
pub use open_dice_cbor_bindgen::DiceMode;
use open_dice_cbor_bindgen::{
- DiceConfigType, DiceInputValues, DICE_CDI_SIZE, DICE_HASH_SIZE, DICE_HIDDEN_SIZE,
- DICE_INLINE_CONFIG_SIZE,
+ DiceConfigType, DiceDeriveCdiCertificateId, DiceDeriveCdiPrivateKeySeed, DiceInputValues,
+ DICE_CDI_SIZE, DICE_HASH_SIZE, DICE_HIDDEN_SIZE, DICE_ID_SIZE, DICE_INLINE_CONFIG_SIZE,
+ DICE_PRIVATE_KEY_SEED_SIZE,
};
use std::ptr;
@@ -30,6 +32,10 @@
const INLINE_CONFIG_SIZE: usize = DICE_INLINE_CONFIG_SIZE as usize;
/// The size of a CDI.
pub const CDI_SIZE: usize = DICE_CDI_SIZE as usize;
+/// The size of a private key seed.
+pub const PRIVATE_KEY_SEED_SIZE: usize = DICE_PRIVATE_KEY_SEED_SIZE as usize;
+/// The size of an ID.
+pub const ID_SIZE: usize = DICE_ID_SIZE as usize;
/// Array type of hashes used by DICE.
pub type Hash = [u8; HASH_SIZE];
@@ -39,6 +45,10 @@
pub type InlineConfig = [u8; INLINE_CONFIG_SIZE];
/// Array type of CDIs.
pub type Cdi = [u8; CDI_SIZE];
+/// Array type of private key seeds.
+pub type PrivateKeySeed = [u8; PRIVATE_KEY_SEED_SIZE];
+/// Array type of DICE ID.
+pub type DiceId = [u8; ID_SIZE];
/// Configuration descriptor for DICE input values.
#[derive(Debug, Clone, PartialEq, Eq)]
@@ -113,3 +123,34 @@
&self.0 as *const DiceInputValues
}
}
+
+/// Derives a CDI private key seed from a `cdi_attest` value.
+pub fn derive_cdi_private_key_seed(cdi_attest: &Cdi) -> Result<PrivateKeySeed> {
+ let mut seed = [0u8; PRIVATE_KEY_SEED_SIZE];
+ // SAFETY: The function writes to the buffer within the given bounds, and only reads the
+ // input values. The first argument context is not used in this function.
+ check_result(unsafe {
+ DiceDeriveCdiPrivateKeySeed(
+ ptr::null_mut(), // context
+ cdi_attest.as_ptr(),
+ seed.as_mut_ptr(),
+ )
+ })?;
+ Ok(seed)
+}
+
+/// Derives an ID from the given `cdi_public_key` value.
+pub fn derive_cdi_certificate_id(cdi_public_key: &[u8]) -> Result<DiceId> {
+ let mut id = [0u8; ID_SIZE];
+ // SAFETY: The function writes to the buffer within the given bounds, and only reads the
+ // input values. The first argument context is not used in this function.
+ check_result(unsafe {
+ DiceDeriveCdiCertificateId(
+ ptr::null_mut(), // context
+ cdi_public_key.as_ptr(),
+ cdi_public_key.len(),
+ id.as_mut_ptr(),
+ )
+ })?;
+ Ok(id)
+}
diff --git a/diced/open_dice/src/lib.rs b/diced/open_dice/src/lib.rs
index d1bd9e4..5a34698 100644
--- a/diced/open_dice/src/lib.rs
+++ b/diced/open_dice/src/lib.rs
@@ -29,8 +29,9 @@
pub use bcc::bcc_format_config_descriptor;
pub use dice::{
- Cdi, Config, DiceMode, Hash, Hidden, InlineConfig, InputValues, CDI_SIZE, HASH_SIZE,
- HIDDEN_SIZE,
+ derive_cdi_certificate_id, derive_cdi_private_key_seed, Cdi, Config, DiceMode, Hash, Hidden,
+ InlineConfig, InputValues, PrivateKeySeed, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE, ID_SIZE,
+ PRIVATE_KEY_SEED_SIZE,
};
pub use error::{check_result, DiceError, Result};
pub use ops::hash;
diff --git a/diced/open_dice/tests/api_test.rs b/diced/open_dice/tests/api_test.rs
index 755be09..5b36f8d 100644
--- a/diced/open_dice/tests/api_test.rs
+++ b/diced/open_dice/tests/api_test.rs
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-use diced_open_dice::hash;
+use diced_open_dice::{derive_cdi_certificate_id, hash, ID_SIZE};
#[test]
fn hash_succeeds() {
@@ -29,3 +29,12 @@
]
);
}
+
+#[test]
+fn derive_cdi_certificate_id_succeeds() {
+ const EXPECTED_ID: [u8; ID_SIZE] = [
+ 0x7a, 0x36, 0x45, 0x2c, 0x02, 0xf6, 0x2b, 0xec, 0xf9, 0x80, 0x06, 0x75, 0x87, 0xa5, 0xc1,
+ 0x44, 0x0c, 0xd3, 0xc0, 0x6d,
+ ];
+ assert_eq!(EXPECTED_ID, derive_cdi_certificate_id(b"MyPubKey").unwrap());
+}
diff --git a/diced/open_dice_cbor/lib.rs b/diced/open_dice_cbor/lib.rs
index a5eb41c..7b098a8 100644
--- a/diced/open_dice_cbor/lib.rs
+++ b/diced/open_dice_cbor/lib.rs
@@ -32,23 +32,19 @@
//! ```
pub use diced_open_dice::{
- check_result, hash, retry_bcc_format_config_descriptor, Config, DiceError, Hash, Hidden,
- InputValues, Result, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
+ check_result, derive_cdi_private_key_seed, hash, retry_bcc_format_config_descriptor, Config,
+ DiceError, Hash, Hidden, InputValues, Result, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE,
+ PRIVATE_KEY_SEED_SIZE,
};
use keystore2_crypto::ZVec;
use open_dice_bcc_bindgen::BccMainFlow;
pub use open_dice_cbor_bindgen::DiceMode;
use open_dice_cbor_bindgen::{
- DiceDeriveCdiCertificateId, DiceDeriveCdiPrivateKeySeed, DiceGenerateCertificate, DiceKdf,
- DiceKeypairFromSeed, DiceMainFlow, DiceSign, DiceVerify, DICE_ID_SIZE,
- DICE_PRIVATE_KEY_SEED_SIZE, DICE_PRIVATE_KEY_SIZE, DICE_PUBLIC_KEY_SIZE, DICE_SIGNATURE_SIZE,
+ DiceGenerateCertificate, DiceKdf, DiceKeypairFromSeed, DiceMainFlow, DiceSign, DiceVerify,
+ DICE_PRIVATE_KEY_SIZE, DICE_PUBLIC_KEY_SIZE, DICE_SIGNATURE_SIZE,
};
use std::ffi::c_void;
-/// The size of a private key seed.
-pub const PRIVATE_KEY_SEED_SIZE: usize = DICE_PRIVATE_KEY_SEED_SIZE as usize;
-/// The size of an ID.
-pub const ID_SIZE: usize = DICE_ID_SIZE as usize;
/// The size of a private key.
pub const PRIVATE_KEY_SIZE: usize = DICE_PRIVATE_KEY_SIZE as usize;
/// The size of a public key.
@@ -162,49 +158,6 @@
/// library calls. Implementations must implement Context::get_context(). As of
/// this writing, the only implementation is OpenDiceCborContext, which returns NULL.
pub trait ContextImpl: Context + Send {
- /// Safe wrapper around open-dice DiceDeriveCdiPrivateKeySeed, see open dice
- /// documentation for details.
- fn derive_cdi_private_key_seed(&mut self, cdi_attest: &[u8; CDI_SIZE]) -> Result<ZVec> {
- let mut seed = ZVec::new(PRIVATE_KEY_SEED_SIZE)?;
- // SAFETY:
- // * The first context argument may be NULL and is unused by the wrapped
- // implementation.
- // * The second argument is expected to be a const array of size CDI_SIZE.
- // * The third argument is expected to be a non const array of size
- // PRIVATE_KEY_SEED_SIZE which is fulfilled if the call to ZVec::new above
- // succeeds.
- // * No pointers are expected to be valid beyond the scope of the function
- // call.
- check_result(unsafe {
- DiceDeriveCdiPrivateKeySeed(self.get_context(), cdi_attest.as_ptr(), seed.as_mut_ptr())
- })?;
- Ok(seed)
- }
-
- /// Safe wrapper around open-dice DiceDeriveCdiCertificateId, see open dice
- /// documentation for details.
- fn derive_cdi_certificate_id(&mut self, cdi_public_key: &[u8]) -> Result<ZVec> {
- let mut id = ZVec::new(ID_SIZE)?;
- // SAFETY:
- // * The first context argument may be NULL and is unused by the wrapped
- // implementation.
- // * The second argument is expected to be a const array with a size given by the
- // third argument.
- // * The fourth argument is expected to be a non const array of size
- // ID_SIZE which is fulfilled if the call to ZVec::new above succeeds.
- // * No pointers are expected to be valid beyond the scope of the function
- // call.
- check_result(unsafe {
- DiceDeriveCdiCertificateId(
- self.get_context(),
- cdi_public_key.as_ptr(),
- cdi_public_key.len(),
- id.as_mut_ptr(),
- )
- })?;
- Ok(id)
- }
-
/// Safe wrapper around open-dice DiceMainFlow, see open dice
/// documentation for details.
/// Returns a tuple of:
@@ -522,7 +475,7 @@
let cdi_attest = &seed[..CDI_SIZE];
assert_eq!(cdi_attest, CDI_ATTEST_TEST_VECTOR);
let cdi_private_key_seed =
- ctx.derive_cdi_private_key_seed(cdi_attest.try_into().unwrap()).unwrap();
+ derive_cdi_private_key_seed(cdi_attest.try_into().unwrap()).unwrap();
assert_eq!(&cdi_private_key_seed[..], CDI_PRIVATE_KEY_SEED_TEST_VECTOR);
let (pub_key, priv_key) =
ctx.keypair_from_seed(cdi_private_key_seed[..].try_into().unwrap()).unwrap();
@@ -699,16 +652,4 @@
.unwrap();
assert_eq!(&derived_key[..], DERIVED_KEY_TEST_VECTOR);
}
-
- static CERT_ID_TEST_VECTOR: &[u8] = &[
- 0x7a, 0x36, 0x45, 0x2c, 0x02, 0xf6, 0x2b, 0xec, 0xf9, 0x80, 0x06, 0x75, 0x87, 0xa5, 0xc1,
- 0x44, 0x0c, 0xd3, 0xc0, 0x6d,
- ];
-
- #[test]
- fn derive_cdi_certificate_id() {
- let mut ctx = OpenDiceCborContext::new();
- let cert_id = ctx.derive_cdi_certificate_id("MyPubKey".as_bytes()).unwrap();
- assert_eq!(&cert_id[..], CERT_ID_TEST_VECTOR);
- }
}
diff --git a/diced/src/hal_node.rs b/diced/src/hal_node.rs
index 12be4ae..1efee8b 100644
--- a/diced/src/hal_node.rs
+++ b/diced/src/hal_node.rs
@@ -203,14 +203,15 @@
.with_effective_artifacts(input_values, |artifacts| {
let (cdi_attest, _, _) = artifacts.into_tuple();
let mut dice = OpenDiceCborContext::new();
- let seed = dice
- .derive_cdi_private_key_seed(cdi_attest[..].try_into().with_context(|| {
+ let seed = dice::derive_cdi_private_key_seed(
+ cdi_attest[..].try_into().with_context(|| {
format!(
"In ResidentHal::sign: Failed to convert cdi_attest (length: {}).",
cdi_attest.len()
)
- })?)
- .context("In ResidentHal::sign: Failed to derive seed from cdi_attest.")?;
+ })?,
+ )
+ .context("In ResidentHal::sign: Failed to derive seed from cdi_attest.")?;
let (_public_key, private_key) = dice
.keypair_from_seed(seed[..].try_into().with_context(|| {
format!(
diff --git a/diced/src/resident_node.rs b/diced/src/resident_node.rs
index 0bd5d0d..d65f30c 100644
--- a/diced/src/resident_node.rs
+++ b/diced/src/resident_node.rs
@@ -82,8 +82,8 @@
.context("In ResidentNode::sign: Failed to get effective_artifacts.")?
.into_tuple();
let mut dice = OpenDiceCborContext::new();
- let seed = dice
- .derive_cdi_private_key_seed(cdi_attest[..].try_into().with_context(|| {
+ let seed =
+ dice::derive_cdi_private_key_seed(cdi_attest[..].try_into().with_context(|| {
format!(
"In ResidentNode::sign: Failed to convert cdi_attest (length: {}).",
cdi_attest.len()
diff --git a/diced/src/sample_inputs.rs b/diced/src/sample_inputs.rs
index 3f36119..5b61fed 100644
--- a/diced/src/sample_inputs.rs
+++ b/diced/src/sample_inputs.rs
@@ -68,8 +68,7 @@
/// by `get_input_values_vector`.
pub fn make_sample_bcc_and_cdis() -> Result<(ZVec, ZVec, Vec<u8>)> {
let mut dice_ctx = dice::OpenDiceCborContext::new();
- let private_key_seed = dice_ctx
- .derive_cdi_private_key_seed(UDS)
+ let private_key_seed = dice::derive_cdi_private_key_seed(UDS)
.context("In make_sample_bcc_and_cdis: Trying to derive private key seed.")?;
let (public_key, _) =