Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / fd9ebcf62ee5930f2e1e2c9558dcab739b6ba246^! / . / diced / open_dice
commitfd9ebcf62ee5930f2e1e2c9558dcab739b6ba246[log] [tgz]
authorAlice Wang <aliceywang@google.com>Thu Oct 12 15:07:47 2023 +0000
committerAlice Wang <aliceywang@google.com>Fri Oct 13 08:38:29 2023 +0000
tree548f5c6a1fac24f278f8c1146647cecf0519aa84
parentcc5143e2b1e22d84f88f6ec2da68071665d71598 [diff]
[dice] Add API to derive CDI_Leaf_Priv from DiceArtifacts

This function will be uses in several places for pVM
remote attestation.

Bug: 303807447
Test: atest libdiced_sample_inputs.integration_test \
libdiced_sample_inputs_nostd.integration_test

Change-Id: I6f45ff35c6e48eb42a32d28c1eb3e851859db655

diff --git a/diced/open_dice/src/lib.rs b/diced/open_dice/src/lib.rs
index 83ae07f..d0004b1 100644
--- a/diced/open_dice/src/lib.rs
+++ b/diced/open_dice/src/lib.rs

@@ -40,7 +40,9 @@
     PublicKey, Signature, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE, ID_SIZE, PRIVATE_KEY_SEED_SIZE,
 };
 pub use error::{DiceError, Result};
-pub use ops::{generate_certificate, hash, kdf, keypair_from_seed, sign, verify};
+pub use ops::{
+    derive_cdi_leaf_priv, generate_certificate, hash, kdf, keypair_from_seed, sign, verify,
+};
 #[cfg(feature = "alloc")]
 pub use retry::{
     retry_bcc_format_config_descriptor, retry_bcc_main_flow, retry_dice_main_flow,

diff --git a/diced/open_dice/src/ops.rs b/diced/open_dice/src/ops.rs
index 6b9202a..fe981df 100644
--- a/diced/open_dice/src/ops.rs
+++ b/diced/open_dice/src/ops.rs

@@ -17,8 +17,8 @@
 //! main DICE functions depend on.
 
 use crate::dice::{
-    Hash, InputValues, PrivateKey, PublicKey, Signature, HASH_SIZE, PRIVATE_KEY_SEED_SIZE,
-    PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, SIGNATURE_SIZE,
+    derive_cdi_private_key_seed, DiceArtifacts, Hash, InputValues, PrivateKey, PublicKey,
+    Signature, HASH_SIZE, PRIVATE_KEY_SEED_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, SIGNATURE_SIZE,
 };
 use crate::error::{check_result, Result};
 use open_dice_cbor_bindgen::{
@@ -91,6 +91,16 @@
     Ok((public_key, private_key))
 }
 
+/// Derives the CDI_Leaf_Priv from the provided `dice_artifacts`.
+///
+/// The corresponding public key is included in the leaf certificate of the DICE chain
+/// contained in `dice_artifacts`.
+pub fn derive_cdi_leaf_priv(dice_artifacts: &dyn DiceArtifacts) -> Result<PrivateKey> {
+    let cdi_priv_key_seed = derive_cdi_private_key_seed(dice_artifacts.cdi_attest())?;
+    let (_, private_key) = keypair_from_seed(cdi_priv_key_seed.as_array())?;
+    Ok(private_key)
+}
+
 /// Signs the `message` with the give `private_key` using `DiceSign`.
 pub fn sign(message: &[u8], private_key: &[u8; PRIVATE_KEY_SIZE]) -> Result<Signature> {
     let mut signature = [0u8; SIGNATURE_SIZE];