Skip to content

Commit

Permalink
TQ opertaions
Browse files Browse the repository at this point in the history
  • Loading branch information
labbott committed Aug 27, 2024
1 parent f9498e8 commit a733137
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 6 deletions.
7 changes: 7 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ serde_with = { version = "3.6", default-features = false }
serialport = { git = "https://github.com/jgallagher/serialport-rs", branch = "illumos-support" }
sha2 = "0.10"
sha3 = { version = "0.10", default-features = false }
static_assertions = { version = "1", default-features = false }
string-error = "0.1"
tempfile = { version = "3", default-features = false }
thiserror = "1.0.57"
Expand Down
1 change: 1 addition & 0 deletions attest-data/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ salty.workspace = true
serde = { workspace = true, features = ["derive"] }
serde_with = { workspace = true, features = ["macros"] }
sha3.workspace = true
static_assertions.workspace = true

[features]
std = ["getrandom", "thiserror"]
27 changes: 21 additions & 6 deletions attest-data/src/messages.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,21 @@
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.

use crate::NONCE_SIZE;
use crate::{NONCE_SIZE, SHA3_256_DIGEST_SIZE};
use hubpack::error::Error as HubpackError;
use hubpack::SerializedSize;
use serde::{de::DeserializeOwned, Deserialize, Serialize};

use hubpack::error::Error as HubpackError;

/// Magic value for [`Header::magic`]
pub const ATTEST_MAGIC: u32 = 0xA77E5700;

/// Right now `Attest` is the only command that takes data (nonce)
/// Right now `Attest` and `TqSign` are the only commands that take data
/// argumenets. They happen to be the same length but to be extra cautious
/// add a static assertion.
pub const MAX_DATA_LEN: usize = NONCE_SIZE;

static_assertions::const_assert!(SHA3_256_DIGEST_SIZE == 32);

pub const MAX_REQUEST_SIZE: usize =
HostRotHeader::MAX_SIZE + HostToRotCommand::MAX_SIZE + MAX_DATA_LEN;

Expand Down Expand Up @@ -49,13 +52,17 @@ impl HostRotHeader {
)]
#[repr(u32)]
pub enum HostToRotCommand {
/// Returns the certificate chain associated with the RoT
/// Returns the certificate chain associated with the RoT-M
GetCertificates,
/// Returns the measurement log
GetMeasurementLog,
/// Calculates sign(sha3_256(hubpack(measurement_log) | nonce))
/// and returns the result.
Attest,
/// Returns the certificate chain associated with TQ
GetTqCertificates,
/// Signs a sha3_256 message with the TQ key
TqSign,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize, Serialize)]
Expand Down Expand Up @@ -151,6 +158,8 @@ pub enum RotToHost {
RotCertificates,
RotMeasurementLog,
RotAttestation,
RotTqCertificates,
RotTqSign,
}

impl From<SprotError> for RotToHost {
Expand Down Expand Up @@ -185,7 +194,8 @@ pub fn parse_message(
match command {
// These commands don't take data
HostToRotCommand::GetCertificates
| HostToRotCommand::GetMeasurementLog => {
| HostToRotCommand::GetMeasurementLog
| HostToRotCommand::GetTqCertificates => {
if !leftover.is_empty() {
return Err(HostToRotError::IncorrectDataLen);
}
Expand All @@ -195,6 +205,11 @@ pub fn parse_message(
return Err(HostToRotError::IncorrectDataLen);
}
}
HostToRotCommand::TqSign => {
if leftover.len() != SHA3_256_DIGEST_SIZE {
return Err(HostToRotError::IncorrectDataLen);
}
}
}

Ok((command, leftover))
Expand Down
20 changes: 20 additions & 0 deletions verifier/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,26 @@ impl PkiPathSignatureVerifier {
}
}

pub fn verify_signature(
alias: &Certificate,
hash: &[u8],
signature: &[u8],
) -> Result<()> {
use ed25519_dalek::{Signature, Verifier, VerifyingKey};

let signature = Signature::from_slice(signature)?;

let alias = alias
.tbs_certificate
.subject_public_key_info
.subject_public_key
.as_bytes()
.ok_or_else(|| anyhow!("Invalid / unaligned public key"))?;

let verifying_key = VerifyingKey::from_bytes(alias.try_into()?)?;
Ok(verifying_key.verify(&hash, &signature)?)
}

pub fn verify_attestation(
alias: &Certificate,
attestation: &Attestation,
Expand Down

0 comments on commit a733137

Please sign in to comment.