diff --git a/cc/attestation/verification/BUILD b/cc/attestation/verification/BUILD index 81bc43c94c5..0e02f2f5147 100644 --- a/cc/attestation/verification/BUILD +++ b/cc/attestation/verification/BUILD @@ -36,11 +36,22 @@ cc_library( hdrs = ["insecure_attestation_verifier.h"], deps = [ ":attestation_verifier", - "//cc/utils/cose:cwt", + ":utils", "//proto/attestation:endorsement_cc_proto", "//proto/attestation:evidence_cc_proto", "//proto/attestation:verification_cc_proto", "@com_google_absl//absl/status:statusor", + ], +) + +cc_library( + name = "utils", + srcs = ["utils.cc"], + hdrs = ["utils.h"], + deps = [ + "//cc/utils/cose:cwt", + "//proto/attestation:evidence_cc_proto", + "@com_google_absl//absl/status:statusor", "@com_google_absl//absl/strings", ], ) diff --git a/cc/attestation/verification/insecure_attestation_verifier.cc b/cc/attestation/verification/insecure_attestation_verifier.cc index 436cd5f400e..9db2704ef24 100644 --- a/cc/attestation/verification/insecure_attestation_verifier.cc +++ b/cc/attestation/verification/insecure_attestation_verifier.cc @@ -20,8 +20,7 @@ #include #include "absl/status/statusor.h" -#include "absl/strings/string_view.h" -#include "cc/utils/cose/cwt.h" +#include "cc/attestation/verification/utils.h" #include "proto/attestation/endorsement.pb.h" #include "proto/attestation/evidence.pb.h" #include "proto/attestation/verification.pb.h" @@ -32,32 +31,26 @@ namespace { using ::oak::attestation::v1::AttestationResults; using ::oak::attestation::v1::Endorsements; using ::oak::attestation::v1::Evidence; -using ::oak::utils::cose::Cwt; } // namespace absl::StatusOr InsecureAttestationVerifier::Verify( std::chrono::time_point now, const Evidence& evidence, const Endorsements& endorsements) const { - absl::StatusOr encryption_public_key = - ExtractEncryptionPublicKey(evidence.application_keys().encryption_public_key_certificate()); + absl::StatusOr encryption_public_key = ExtractEncryptionPublicKey(evidence); if (!encryption_public_key.ok()) { return encryption_public_key.status(); } + absl::StatusOr signing_public_key = ExtractSigningPublicKey(evidence); + if (!signing_public_key.ok()) { + return signing_public_key.status(); + } + AttestationResults attestation_results; *attestation_results.mutable_encryption_public_key() = *encryption_public_key; + *attestation_results.mutable_signing_public_key() = *signing_public_key; return attestation_results; } -absl::StatusOr InsecureAttestationVerifier::ExtractEncryptionPublicKey( - absl::string_view certificate) const { - auto cwt = Cwt::Deserialize(certificate); - if (!cwt.ok()) { - return cwt.status(); - } - auto public_key = cwt->subject_public_key.GetPublicKey(); - return std::string(public_key.begin(), public_key.end()); -} - } // namespace oak::attestation::verification diff --git a/cc/attestation/verification/insecure_attestation_verifier.h b/cc/attestation/verification/insecure_attestation_verifier.h index 683872b9515..c812e7c47f6 100644 --- a/cc/attestation/verification/insecure_attestation_verifier.h +++ b/cc/attestation/verification/insecure_attestation_verifier.h @@ -21,7 +21,6 @@ #include #include "absl/status/statusor.h" -#include "absl/strings/string_view.h" #include "cc/attestation/verification/attestation_verifier.h" #include "proto/attestation/endorsement.pb.h" #include "proto/attestation/evidence.pb.h" @@ -37,9 +36,6 @@ class InsecureAttestationVerifier : public AttestationVerifier { std::chrono::time_point now, const ::oak::attestation::v1::Evidence& evidence, const ::oak::attestation::v1::Endorsements& endorsements) const override; - - private: - absl::StatusOr ExtractEncryptionPublicKey(absl::string_view certificate) const; }; } // namespace oak::attestation::verification diff --git a/cc/attestation/verification/utils.cc b/cc/attestation/verification/utils.cc new file mode 100644 index 00000000000..931946cbac9 --- /dev/null +++ b/cc/attestation/verification/utils.cc @@ -0,0 +1,53 @@ +/* + * Copyright 2023 The Project Oak Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "cc/attestation/verification/utils.h" + +#include +#include + +#include "absl/status/statusor.h" +#include "absl/strings/string_view.h" +#include "cc/utils/cose/cwt.h" +#include "proto/attestation/evidence.pb.h" + +namespace oak::attestation::verification { + +namespace { +using ::oak::attestation::v1::Evidence; +using ::oak::utils::cose::Cwt; +} // namespace + +absl::StatusOr ExtractPublicKey(absl::string_view certificate) { + auto cwt = Cwt::Deserialize(certificate); + if (!cwt.ok()) { + return cwt.status(); + } + auto public_key = cwt->subject_public_key.GetPublicKey(); + return std::string(public_key.begin(), public_key.end()); +} + +absl::StatusOr ExtractEncryptionPublicKey( + const ::oak::attestation::v1::Evidence& evidence) { + return ExtractPublicKey(evidence.application_keys().encryption_public_key_certificate()); +} + +absl::StatusOr ExtractSigningPublicKey( + const ::oak::attestation::v1::Evidence& evidence) { + return ExtractPublicKey(evidence.application_keys().signing_public_key_certificate()); +} + +} // namespace oak::attestation::verification diff --git a/cc/attestation/verification/utils.h b/cc/attestation/verification/utils.h new file mode 100644 index 00000000000..ff6e79fd2a5 --- /dev/null +++ b/cc/attestation/verification/utils.h @@ -0,0 +1,35 @@ +/* + * Copyright 2023 The Project Oak Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef CC_ATTESTATION_VERIFICATION_UTILS_H_ +#define CC_ATTESTATION_VERIFICATION_UTILS_H_ + +#include + +#include "absl/status/statusor.h" +#include "proto/attestation/evidence.pb.h" + +namespace oak::attestation::verification { + +absl::StatusOr ExtractEncryptionPublicKey( + const ::oak::attestation::v1::Evidence& evidence); + +absl::StatusOr ExtractSigningPublicKey( + const ::oak::attestation::v1::Evidence& evidence); + +} // namespace oak::attestation::verification + +#endif // CC_ATTESTATION_VERIFICATION_ATTESTATION_VERIFIER_H_