commit f59662dcf08ebdebcd68b07cffc3c29db9bae046
author Alice Wang <aliceywang@google.com> Fri Feb 10 16:07:56 2023 +0000
committer Alice Wang <aliceywang@google.com> Fri Feb 17 14:41:03 2023 +0000
tree efd6bb78c283d139089d53cc6869071071acc2be
parent 4d3059a1a70ec5fd9115279d9b06ce383d75855c

[dice] Move DiceKeypairFromSeed wrapper to diced_open_dice

This cl moves DiceKeypairFromSeed wrapper to diced_open_dice
and removes the crate diced_open_dice_cbor as it doesn't have
any code after moving out the function.

This cl also sets the type of PrivateKey and PrivateKeySeed to
struct so that their memory will be zeroed out when the struct
variable is dropped for security consideration. This is not
a complete solution for securing the sensitive data access: we
will clean up the memory cache of the sensitive data in a
follow-up cl.

Bug: 267575445
Test: atest diced_utils_test diced_sample_inputs_test \
diced_vendor_test diced_open_dice_cbor_test \
libdiced_open_dice_nostd.integration_test \
libdiced_open_dice.integration_test diced_open_dice_cbor_test

Change-Id: I6c9b1190bfc4238adc59b88b6f3ee8fdd5cbd8f0

diced/src/hal_node.rs

diff --git a/diced/src/hal_node.rs b/diced/src/hal_node.rs
index 04602bd..33aeb2b 100644
--- a/diced/src/hal_node.rs
+++ b/diced/src/hal_node.rs
@@ -34,9 +34,8 @@
 };
 use anyhow::{Context, Result};
 use binder::{BinderFeatures, Result as BinderResult, Strong};
-use dice::{ContextImpl, OpenDiceCborContext};
+use diced_open_dice as dice;
 pub use diced_open_dice::DiceArtifacts;
-use diced_open_dice_cbor as dice;
 use diced_utils as utils;
 use nix::sys::wait::{waitpid, WaitStatus};
 use nix::unistd::{
@@ -203,7 +202,6 @@
         let signature: Vec<u8> = self
             .with_effective_artifacts(input_values, |artifacts| {
                 let (cdi_attest, _, _) = artifacts.into_tuple();
-                let mut dice = OpenDiceCborContext::new();
                 let seed = dice::derive_cdi_private_key_seed(
                     cdi_attest[..].try_into().with_context(|| {
                         format!(
@@ -213,24 +211,10 @@
                     })?,
                 )
                 .context("In ResidentHal::sign: Failed to derive seed from cdi_attest.")?;
-                let (_public_key, private_key) = dice
-                    .keypair_from_seed(seed[..].try_into().with_context(|| {
-                        format!(
-                            "In ResidentHal::sign: Failed to convert seed (length: {}).",
-                            seed.len()
-                        )
-                    })?)
+                let (_public_key, private_key) = dice::keypair_from_seed(seed.as_array())
                     .context("In ResidentHal::sign: Failed to derive keypair from seed.")?;
-                let signature = dice::sign(
-                    message,
-                    private_key[..].try_into().with_context(|| {
-                        format!(
-                            "In ResidentHal::sign: Failed to convert private_key (length: {}).",
-                            private_key.len()
-                        )
-                    })?,
-                )
-                .context("In ResidentHal::sign: Failed to sign.")?;
+                let signature = dice::sign(message, private_key.as_array())
+                    .context("In ResidentHal::sign: Failed to sign.")?;
                 Ok(signature.to_vec())
             })
             .context("In ResidentHal::sign:")?;
@@ -333,7 +317,7 @@
         InputValues::InputValues as BinderInputValues, Mode::Mode as BinderMode,
     };
     use anyhow::{anyhow, Context, Result};
-    use diced_open_dice_cbor as dice;
+    use diced_open_dice as dice;
     use diced_sample_inputs;
     use diced_utils as utils;
     use std::ffi::CStr;