Skip to content

Commit

Permalink
TQ operations
Browse files Browse the repository at this point in the history
This lets the upper layers perform signing operations
  • Loading branch information
labbott committed Sep 9, 2024
1 parent f9498e8 commit 4e44683
Show file tree
Hide file tree
Showing 6 changed files with 51 additions and 9 deletions.
11 changes: 9 additions & 2 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ serde_with = { version = "3.6", default-features = false }
serialport = { git = "https://github.com/jgallagher/serialport-rs", branch = "illumos-support" }
sha2 = "0.10"
sha3 = { version = "0.10", default-features = false }
static_assertions = { version = "1", default-features = false }
string-error = "0.1"
tempfile = { version = "3", default-features = false }
thiserror = "1.0.57"
Expand Down
3 changes: 2 additions & 1 deletion attest-data/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "attest-data"
version = "0.2.0"
version = "0.3.0"
edition = "2021"

[dependencies]
Expand All @@ -11,6 +11,7 @@ salty.workspace = true
serde = { workspace = true, features = ["derive"] }
serde_with = { workspace = true, features = ["macros"] }
sha3.workspace = true
static_assertions.workspace = true

[features]
std = ["getrandom", "thiserror"]
23 changes: 18 additions & 5 deletions attest-data/src/messages.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,17 @@
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.

use crate::NONCE_SIZE;
use crate::{NONCE_SIZE, SHA3_256_DIGEST_SIZE};
use hubpack::error::Error as HubpackError;
use hubpack::SerializedSize;
use serde::{de::DeserializeOwned, Deserialize, Serialize};

use hubpack::error::Error as HubpackError;

/// Magic value for [`Header::magic`]
pub const ATTEST_MAGIC: u32 = 0xA77E5700;

/// Right now `Attest` is the only command that takes data (nonce)
/// Right now `Attest` and `TqSign` are the only commands that take data
/// argumenets. They happen to be the same length but to be extra cautious
/// add a static assertion.
pub const MAX_DATA_LEN: usize = NONCE_SIZE;

pub const MAX_REQUEST_SIZE: usize =
Expand Down Expand Up @@ -56,6 +57,10 @@ pub enum HostToRotCommand {
/// Calculates sign(sha3_256(hubpack(measurement_log) | nonce))
/// and returns the result.
Attest,
/// Returns the certificate chain associated with TQ
GetTqCertificates,
/// Signs a 32 byte message with the TQ key
TqSign,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize, Serialize)]
Expand Down Expand Up @@ -151,6 +156,8 @@ pub enum RotToHost {
RotCertificates,
RotMeasurementLog,
RotAttestation,
RotTqCertificates,
RotTqSign,
}

impl From<SprotError> for RotToHost {
Expand Down Expand Up @@ -185,7 +192,8 @@ pub fn parse_message(
match command {
// These commands don't take data
HostToRotCommand::GetCertificates
| HostToRotCommand::GetMeasurementLog => {
| HostToRotCommand::GetMeasurementLog
| HostToRotCommand::GetTqCertificates => {
if !leftover.is_empty() {
return Err(HostToRotError::IncorrectDataLen);
}
Expand All @@ -195,6 +203,11 @@ pub fn parse_message(
return Err(HostToRotError::IncorrectDataLen);
}
}
HostToRotCommand::TqSign => {
if leftover.len() != SHA3_256_DIGEST_SIZE {
return Err(HostToRotError::IncorrectDataLen);
}
}
}

Ok((command, leftover))
Expand Down
2 changes: 1 addition & 1 deletion verifier/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "dice-verifier"
version = "0.1.0"
version = "0.2.0"
edition = "2021"
description = "a library crate implementing the attestation verifier"
license = "MPL-2.0"
Expand Down
20 changes: 20 additions & 0 deletions verifier/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,26 @@ impl PkiPathSignatureVerifier {
}
}

pub fn verify_signature(
cert: &Certificate,
hash: &[u8],
signature: &[u8],
) -> Result<()> {
use ed25519_dalek::{Signature, Verifier, VerifyingKey};

let signature = Signature::from_slice(signature)?;

let cert = cert
.tbs_certificate
.subject_public_key_info
.subject_public_key
.as_bytes()
.ok_or_else(|| anyhow!("Invalid / unaligned public key"))?;

let verifying_key = VerifyingKey::from_bytes(cert.try_into()?)?;
Ok(verifying_key.verify(hash, &signature)?)
}

pub fn verify_attestation(
alias: &Certificate,
attestation: &Attestation,
Expand Down

0 comments on commit 4e44683

Please sign in to comment.