[dice] Move DiceKeypairFromSeed wrapper to diced_open_dice
This cl moves DiceKeypairFromSeed wrapper to diced_open_dice
and removes the crate diced_open_dice_cbor as it doesn't have
any code after moving out the function.
This cl also sets the type of PrivateKey and PrivateKeySeed to
struct so that their memory will be zeroed out when the struct
variable is dropped for security consideration. This is not
a complete solution for securing the sensitive data access: we
will clean up the memory cache of the sensitive data in a
follow-up cl.
Bug: 267575445
Test: atest diced_utils_test diced_sample_inputs_test \
diced_vendor_test diced_open_dice_cbor_test \
libdiced_open_dice_nostd.integration_test \
libdiced_open_dice.integration_test diced_open_dice_cbor_test
Change-Id: I6c9b1190bfc4238adc59b88b6f3ee8fdd5cbd8f0
diff --git a/diced/src/diced_client_test.rs b/diced/src/diced_client_test.rs
index 29d7295..7957f0a 100644
--- a/diced/src/diced_client_test.rs
+++ b/diced/src/diced_client_test.rs
@@ -19,8 +19,8 @@
use android_security_dice::aidl::android::security::dice::IDiceMaintenance::IDiceMaintenance;
use android_security_dice::aidl::android::security::dice::IDiceNode::IDiceNode;
use binder::Strong;
+use diced_open_dice as dice;
use diced_open_dice::DiceArtifacts;
-use diced_open_dice_cbor as dice;
use nix::libc::uid_t;
use std::convert::TryInto;
use std::ffi::CString;
diff --git a/diced/src/hal_node.rs b/diced/src/hal_node.rs
index 04602bd..33aeb2b 100644
--- a/diced/src/hal_node.rs
+++ b/diced/src/hal_node.rs
@@ -34,9 +34,8 @@
};
use anyhow::{Context, Result};
use binder::{BinderFeatures, Result as BinderResult, Strong};
-use dice::{ContextImpl, OpenDiceCborContext};
+use diced_open_dice as dice;
pub use diced_open_dice::DiceArtifacts;
-use diced_open_dice_cbor as dice;
use diced_utils as utils;
use nix::sys::wait::{waitpid, WaitStatus};
use nix::unistd::{
@@ -203,7 +202,6 @@
let signature: Vec<u8> = self
.with_effective_artifacts(input_values, |artifacts| {
let (cdi_attest, _, _) = artifacts.into_tuple();
- let mut dice = OpenDiceCborContext::new();
let seed = dice::derive_cdi_private_key_seed(
cdi_attest[..].try_into().with_context(|| {
format!(
@@ -213,24 +211,10 @@
})?,
)
.context("In ResidentHal::sign: Failed to derive seed from cdi_attest.")?;
- let (_public_key, private_key) = dice
- .keypair_from_seed(seed[..].try_into().with_context(|| {
- format!(
- "In ResidentHal::sign: Failed to convert seed (length: {}).",
- seed.len()
- )
- })?)
+ let (_public_key, private_key) = dice::keypair_from_seed(seed.as_array())
.context("In ResidentHal::sign: Failed to derive keypair from seed.")?;
- let signature = dice::sign(
- message,
- private_key[..].try_into().with_context(|| {
- format!(
- "In ResidentHal::sign: Failed to convert private_key (length: {}).",
- private_key.len()
- )
- })?,
- )
- .context("In ResidentHal::sign: Failed to sign.")?;
+ let signature = dice::sign(message, private_key.as_array())
+ .context("In ResidentHal::sign: Failed to sign.")?;
Ok(signature.to_vec())
})
.context("In ResidentHal::sign:")?;
@@ -333,7 +317,7 @@
InputValues::InputValues as BinderInputValues, Mode::Mode as BinderMode,
};
use anyhow::{anyhow, Context, Result};
- use diced_open_dice_cbor as dice;
+ use diced_open_dice as dice;
use diced_sample_inputs;
use diced_utils as utils;
use std::ffi::CStr;
diff --git a/diced/src/lib_vendor.rs b/diced/src/lib_vendor.rs
index 01c804b..a04bb80 100644
--- a/diced/src/lib_vendor.rs
+++ b/diced/src/lib_vendor.rs
@@ -17,4 +17,4 @@
mod error_vendor;
pub mod hal_node;
-pub use diced_open_dice_cbor as dice;
+pub use diced_open_dice as dice;
diff --git a/diced/src/sample_inputs.rs b/diced/src/sample_inputs.rs
index 824ee9e..6ad8ca9 100644
--- a/diced/src/sample_inputs.rs
+++ b/diced/src/sample_inputs.rs
@@ -19,9 +19,8 @@
Config::Config as BinderConfig, InputValues::InputValues as BinderInputValues, Mode::Mode,
};
use anyhow::{anyhow, Context, Result};
-use dice::ContextImpl;
+use diced_open_dice as dice;
use diced_open_dice::DiceArtifacts;
-use diced_open_dice_cbor as dice;
use diced_utils::{cbor, to_dice_input_values};
use std::ffi::CStr;
use std::io::Write;
@@ -66,16 +65,11 @@
/// Derives a tuple of (CDI_ATTEST, CDI_SEAL, BCC) derived of the vector of input values returned
/// by `get_input_values_vector`.
pub fn make_sample_bcc_and_cdis() -> Result<dice::OwnedDiceArtifacts> {
- let mut dice_ctx = dice::OpenDiceCborContext::new();
let private_key_seed = dice::derive_cdi_private_key_seed(UDS)
.context("In make_sample_bcc_and_cdis: Trying to derive private key seed.")?;
- let (public_key, _) =
- dice_ctx
- .keypair_from_seed(&private_key_seed[..].try_into().context(
- "In make_sample_bcc_and_cids: Failed to convert seed to array reference.",
- )?)
- .context("In make_sample_bcc_and_cids: Failed to generate key pair.")?;
+ let (public_key, _) = dice::keypair_from_seed(private_key_seed.as_array())
+ .context("In make_sample_bcc_and_cids: Failed to generate key pair.")?;
let input_values_vector = get_input_values_vector();