Skip to content

Commit

Permalink
TQ opertaions
Browse files Browse the repository at this point in the history
  • Loading branch information
labbott committed Aug 5, 2024
1 parent 37d6ef5 commit fb7746a
Show file tree
Hide file tree
Showing 5 changed files with 57 additions and 8 deletions.
7 changes: 7 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ serde_with = { version = "3.6", default-features = false }
serialport = { git = "https://github.com/jgallagher/serialport-rs", branch = "illumos-support" }
sha2 = "0.10"
sha3 = { version = "0.10", default-features = false }
static_assertions = { version = "1", default-features = false }
string-error = "0.1"
tempfile = { version = "3", default-features = false }
thiserror = "1.0.57"
Expand Down
1 change: 1 addition & 0 deletions attest-data/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ salty.workspace = true
serde = { workspace = true, features = ["derive"] }
serde_with = { workspace = true, features = ["macros"] }
sha3.workspace = true
static_assertions.workspace = true

[features]
std = ["getrandom", "thiserror"]
36 changes: 28 additions & 8 deletions attest-data/src/messages.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,21 @@
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.

use crate::NONCE_SIZE;
use crate::{NONCE_SIZE, SHA3_256_DIGEST_SIZE};
use hubpack::error::Error as HubpackError;
use hubpack::SerializedSize;
use serde::{de::DeserializeOwned, Deserialize, Serialize};

use hubpack::error::Error as HubpackError;

/// Magic value for [`Header::magic`]
pub const ATTEST_MAGIC: u32 = 0xA77E5700;

/// Right now `Attest` is the only command that takes data (nonce)
/// Right now `Attest` and `TqSign` are the only commands that take data
/// argumenets. They happen to be the same length but to be extra cautious
/// add a static assertion.
pub const MAX_DATA_LEN: usize = NONCE_SIZE;

static_assertions::const_assert!(SHA3_256_DIGEST_SIZE == 32);

pub const MAX_REQUEST_SIZE: usize =
HostRotHeader::MAX_SIZE + HostToRotCommand::MAX_SIZE + MAX_DATA_LEN;

Expand Down Expand Up @@ -49,13 +52,17 @@ impl HostRotHeader {
)]
#[repr(u32)]
pub enum HostToRotCommand {
/// Returns the certificate chain associated with the RoT
/// Returns the certificate chain associated with the RoT-M
GetCertificates,
/// Returns the measurement log
GetMeasurementLog,
/// Calculates sign(sha3_256(hubpack(measurement_log) | nonce))
/// and returns the result.
Attest,
/// Returns the certificate chain associated with TQ
GetTqCertificates,
/// Signs a sha3_256 message with the TQ key
TqSign,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize, Serialize)]
Expand Down Expand Up @@ -149,6 +156,8 @@ pub enum RotToHost {
RotCertificates,
RotMeasurementLog,
RotAttestation,
RotTqCertificates,
RotTqSign,
}

impl From<SprotError> for RotToHost {
Expand Down Expand Up @@ -183,7 +192,8 @@ pub fn parse_message(
match command {
// These commands don't take data
HostToRotCommand::GetCertificates
| HostToRotCommand::GetMeasurementLog => {
| HostToRotCommand::GetMeasurementLog
| HostToRotCommand::GetTqCertificates => {
if !leftover.is_empty() {
return Err(HostToRotError::IncorrectDataLen);
}
Expand All @@ -193,6 +203,11 @@ pub fn parse_message(
return Err(HostToRotError::IncorrectDataLen);
}
}
HostToRotCommand::TqSign => {
if leftover.len() != SHA3_256_DIGEST_SIZE {
return Err(HostToRotError::IncorrectDataLen);
}
}
}

Ok((command, leftover))
Expand All @@ -213,8 +228,13 @@ pub fn parse_response(
return Err(HostToRotError::VersionMismatch);
}

if command != expected {
return Err(HostToRotError::UnexpectedCommand);
match command {
RotToHost::HostToRotError(e) => return Err(e),
c => {
if c != expected {
return Err(HostToRotError::UnexpectedCommand);
}
}
}
Ok(leftover)
}
Expand Down
20 changes: 20 additions & 0 deletions verifier/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,26 @@ impl PkiPathSignatureVerifier {
}
}

pub fn verify_signature(
alias: &Certificate,
hash: &[u8],
signature: &[u8],
) -> Result<()> {
use ed25519_dalek::{Signature, Verifier, VerifyingKey};

let signature = Signature::from_slice(signature)?;

let alias = alias
.tbs_certificate
.subject_public_key_info
.subject_public_key
.as_bytes()
.ok_or_else(|| anyhow!("Invalid / unaligned public key"))?;

let verifying_key = VerifyingKey::from_bytes(alias.try_into()?)?;
Ok(verifying_key.verify(&hash, &signature)?)
}

pub fn verify_attestation(
alias: &Certificate,
attestation: &Attestation,
Expand Down

0 comments on commit fb7746a

Please sign in to comment.