Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Move building of proto generated files to their own crates.
Browse files Browse the repository at this point in the history
ernoc committed Jan 4, 2024
1 parent 884dda5 commit 3281161
Showing 36 changed files with 234 additions and 137 deletions.
27 changes: 24 additions & 3 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
@@ -100,6 +100,8 @@ oak_grpc_utils = { path = "./oak_grpc_utils" }
oak_launcher_utils = { path = "./oak_launcher_utils" }
oak_linux_boot_params = { path = "./linux_boot_params" }
oak_logger = { path = "./oak_functions/logger" }
oak_attestation_proto = { path = "./proto/attestation" }
oak_functions_proto = { path = "./proto/oak_functions" }
oak_remote_attestation = { path = "./oak_remote_attestation" }
oak_restricted_kernel_dice = { path = "./oak_restricted_kernel_dice" }
oak_restricted_kernel_sdk = { path = "./oak_restricted_kernel_sdk" }
10 changes: 9 additions & 1 deletion enclave_apps/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion fuzz/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 1 addition & 3 deletions oak_attestation_verification/Cargo.toml
Original file line number Diff line number Diff line change
@@ -13,13 +13,11 @@ coset = { version = "*", default-features = false }
ecdsa = { version = "*", features = ["pkcs8", "pem"] }
hex = "*"
oak_dice = { workspace = true }
oak_attestation_proto = { workspace = true }
prost = { workspace = true }
p256 = { version = "*", features = ["ecdsa-core", "ecdsa", "pem"] }
serde = { version = "*", features = ["derive"] }
serde_jcs = "*"
serde_json = "*"
sha2 = { version = "*", default-features = false }
time = { version = "0.3.28", features = ["serde", "parsing", "formatting"] }

[build-dependencies]
prost-build = { workspace = true }
2 changes: 1 addition & 1 deletion oak_attestation_verification/src/claims.rs
Original file line number Diff line number Diff line change
@@ -21,9 +21,9 @@
extern crate alloc;

use crate::proto::oak::HexDigest;
use alloc::{collections::BTreeMap, string::String, vec::Vec};
use anyhow::Context;
use oak_attestation_proto::oak::HexDigest;
use serde::{Deserialize, Serialize};
use time::OffsetDateTime;

2 changes: 1 addition & 1 deletion oak_attestation_verification/src/endorsement.rs
Original file line number Diff line number Diff line change
@@ -21,12 +21,12 @@ use crate::{
get_digest, parse_endorsement_statement, validate_endorsement, verify_validity_duration,
EndorsementStatement,
},
proto::oak::HexDigest,
rekor::{get_rekor_log_entry_body, verify_rekor_log_entry},
util::{convert_pem_to_raw, equal_keys, is_hex_digest_match, MatchResult},
};
use anyhow::Context;
use base64::{prelude::BASE64_STANDARD, Engine as _};
use oak_attestation_proto::oak::HexDigest;

/// Compares the digest contained in the endorsement against the given one.
pub fn verify_binary_digest(
18 changes: 0 additions & 18 deletions oak_attestation_verification/src/lib.rs
Original file line number Diff line number Diff line change
@@ -19,24 +19,6 @@

extern crate alloc;

// Inlined from tonic::include_proto in order to cut dependency on tonic.
macro_rules! include_proto {
($package: tt) => {
include!(concat!(env!("OUT_DIR"), concat!("/", $package, ".rs")));
};
}

pub mod proto {
pub mod oak {
include_proto!("oak");
pub mod attestation {
pub mod v1 {
include_proto!("oak.attestation.v1");
}
}
}
}

pub mod claims;
pub mod endorsement;
pub mod rekor;
2 changes: 1 addition & 1 deletion oak_attestation_verification/src/util.rs
Original file line number Diff line number Diff line change
@@ -14,12 +14,12 @@
// limitations under the License.
//

use crate::proto::oak::{HexDigest, RawDigest};
use alloc::{string::String, vec::Vec};
use anyhow::Context;
use base64::{prelude::BASE64_STANDARD, Engine as _};
use core::{cmp::Ordering, str::FromStr};
use ecdsa::{signature::Verifier, Signature};
use oak_attestation_proto::oak::{HexDigest, RawDigest};
use p256::ecdsa::VerifyingKey;
use sha2::{Digest, Sha256, Sha384, Sha512};

58 changes: 29 additions & 29 deletions oak_attestation_verification/src/verifier.rs
Original file line number Diff line number Diff line change
@@ -20,20 +20,6 @@ use crate::{
alloc::string::ToString,
claims::{get_digest, parse_endorsement_statement},
endorsement::verify_binary_endorsement,
proto::oak::{
attestation::v1::{
attestation_results::Status, binary_reference_value, endorsements, reference_values,
ApplicationKeys, ApplicationLayerEndorsements, ApplicationLayerReferenceValues,
AttestationResults, BinaryReferenceValue, CbEndorsements, CbReferenceValues,
ContainerLayerEndorsements, ContainerLayerReferenceValues, Endorsements, Evidence,
KernelLayerEndorsements, KernelLayerReferenceValues, LayerEvidence,
OakContainersEndorsements, OakContainersReferenceValues,
OakRestrictedKernelEndorsements, OakRestrictedKernelReferenceValues, ReferenceValues,
RootLayerEndorsements, RootLayerEvidence, RootLayerReferenceValues,
SystemLayerEndorsements, SystemLayerReferenceValues, TransparentReleaseEndorsement,
},
RawDigest,
},
util::{
hex_to_raw_digest, is_hex_digest_match, is_raw_digest_match, raw_to_hex_digest, MatchResult,
},
@@ -42,6 +28,20 @@ use crate::{
use alloc::vec::Vec;
use coset::{cbor::Value, cwt::ClaimsSet, CborSerializable, CoseKey, RegisteredLabelWithPrivate};
use ecdsa::{signature::Verifier, Signature};
use oak_attestation_proto::oak::{
attestation::v1::{
attestation_results::Status, binary_reference_value, endorsements, reference_values,
ApplicationKeys, ApplicationLayerEndorsements, ApplicationLayerReferenceValues,
AttestationResults, BinaryReferenceValue, CbEndorsements, CbReferenceValues,
ContainerLayerEndorsements, ContainerLayerReferenceValues, Endorsements, Evidence,
KernelLayerEndorsements, KernelLayerReferenceValues, LayerEvidence,
OakContainersEndorsements, OakContainersReferenceValues, OakRestrictedKernelEndorsements,
OakRestrictedKernelReferenceValues, ReferenceValues, RootLayerEndorsements,
RootLayerEvidence, RootLayerReferenceValues, SystemLayerEndorsements,
SystemLayerReferenceValues, TransparentReleaseEndorsement,
},
RawDigest,
};
use oak_dice::cert::{
cose_key_to_hpke_public_key, cose_key_to_verifying_key, get_public_key_from_claims_set,
ACPI_MEASUREMENT_ID, CONTAINER_IMAGE_ID, ENCLAVE_APPLICATION_LAYER_ID, INITRD_MEASUREMENT_ID,
@@ -58,21 +58,21 @@ pub struct DiceChainResult {
signing_public_key: Vec<u8>,
}

impl From<&anyhow::Result<DiceChainResult>> for AttestationResults {
fn from(value: &anyhow::Result<DiceChainResult>) -> Self {
match value {
Ok(dice_chain_result) => AttestationResults {
status: Status::Success.into(),
encryption_public_key: dice_chain_result.encryption_public_key.clone(),
signing_public_key: dice_chain_result.signing_public_key.clone(),
..Default::default()
},
Err(err) => AttestationResults {
status: Status::GenericFailure.into(),
reason: err.to_string(),
..Default::default()
},
}
pub fn to_attestation_results(
verify_result: &anyhow::Result<DiceChainResult>,
) -> AttestationResults {
match verify_result {
Ok(dice_chain_result) => AttestationResults {
status: Status::Success.into(),
encryption_public_key: dice_chain_result.encryption_public_key.clone(),
signing_public_key: dice_chain_result.signing_public_key.clone(),
..Default::default()
},
Err(err) => AttestationResults {
status: Status::GenericFailure.into(),
reason: err.to_string(),
..Default::default()
},
}
}

3 changes: 2 additions & 1 deletion oak_attestation_verification/tests/endorsement_tests.rs
Original file line number Diff line number Diff line change
@@ -25,11 +25,12 @@ use oak_attestation_verification::{
verify_binary_digest, verify_binary_endorsement, verify_endorsement_statement,
verify_endorser_public_key,
},
proto::oak::HexDigest,
rekor::{verify_rekor_log_entry, verify_rekor_signature},
util::{convert_pem_to_raw, MatchResult},
};

use oak_attestation_proto::oak::HexDigest;

const BINARY_DIGEST: &str = "39051983bbb600bbfb91bd22ee4c976420f8f0c6a895fd083dcb0d153ddd5fd6";
const ENDORSEMENT_PATH: &str = "testdata/endorsement.json";

Loading

0 comments on commit 3281161

Please sign in to comment.