From e7c76de7f54ef58527bc7ee59ca7f2e8e32c22fb Mon Sep 17 00:00:00 2001 From: Jason LeBrun Date: Fri, 14 Feb 2025 16:51:25 +0000 Subject: [PATCH] Move standalone helpers into oak_sdk * Alter naming since standalone doesn't really use an "Orchestrator". Instead, just direclty return the fake EndorsedEvidence and encryption key handle. * Move StandaloneEncryptionKeyHandle to StaticEncryptionKeyHandle in common SDK. * Remove currently unused StandaloneInstanceSigner Bug: b/357921050 Change-Id: I293506dbf8cb634411719d6a5016f209210821d1 --- cc/containers/sdk/standalone/BUILD | 4 +- oak_attestation_integration_tests/BUILD | 4 +- .../src/create.rs | 22 ++- .../tests/verifier_tests.rs | 7 +- .../examples/hello_world/enclave_app/BUILD | 1 + .../enclave_app/tests/standalone_test.rs | 27 ++-- oak_containers_sdk/BUILD | 16 --- oak_containers_sdk/src/lib.rs | 1 - oak_sdk/common/BUILD | 1 + oak_sdk/common/crypto/BUILD | 34 +++++ .../common/crypto/encryption_key_handle.rs | 41 ++++++ oak_sdk/common/lib.rs | 1 + oak_sdk/standalone/BUILD | 57 ++++++++ .../standalone}/ffi/standalone_c.rs | 8 +- .../src => oak_sdk/standalone}/standalone.rs | 125 +++++++----------- 15 files changed, 218 insertions(+), 131 deletions(-) create mode 100644 oak_sdk/common/crypto/BUILD create mode 100644 oak_sdk/common/crypto/encryption_key_handle.rs create mode 100644 oak_sdk/standalone/BUILD rename {oak_containers_sdk/src => oak_sdk/standalone}/ffi/standalone_c.rs (93%) rename {oak_containers_sdk/src => oak_sdk/standalone}/standalone.rs (73%) diff --git a/cc/containers/sdk/standalone/BUILD b/cc/containers/sdk/standalone/BUILD index d2189f7fdb..b239e65bc5 100644 --- a/cc/containers/sdk/standalone/BUILD +++ b/cc/containers/sdk/standalone/BUILD @@ -29,7 +29,7 @@ cc_library( "//cc/crypto:encryption_key", "//cc/crypto:server_encryptor", "//cc/crypto/hpke:recipient_context", - "//oak_containers_sdk:ffi", + "//oak_sdk/standalone:ffi", "//proto/session:messages_cc_proto", "@com_google_absl//absl/log", "@com_google_absl//absl/status:statusor", @@ -43,7 +43,7 @@ cc_test( ":oak_standalone", "//cc/attestation/verification:attestation_verifier", "//cc/attestation/verification:insecure_attestation_verifier", - "//oak_containers_sdk:ffi", + "//oak_sdk/standalone:ffi", "//proto/attestation:verification_cc_proto", "//proto/session:messages_cc_proto", "@com_google_absl//absl/log", diff --git a/oak_attestation_integration_tests/BUILD b/oak_attestation_integration_tests/BUILD index af55907f94..aa9454bba1 100644 --- a/oak_attestation_integration_tests/BUILD +++ b/oak_attestation_integration_tests/BUILD @@ -36,8 +36,8 @@ rust_library( ], crate_name = "oak_attestation_integration_tests", deps = [ - "//oak_containers_sdk", "//oak_proto_rust", + "//oak_sdk/standalone:oak_sdk_standalone", "@oak_crates_index//:anyhow", "@oak_crates_index//:assert-json-diff", "@oak_crates_index//:prost", @@ -100,10 +100,10 @@ rust_test_suite( "//oak_attestation", "//oak_attestation_types", "//oak_attestation_verification", - "//oak_containers_sdk", "//oak_dice", "//oak_proto_rust", "//oak_restricted_kernel_sdk", + "//oak_sdk/standalone:oak_sdk_standalone", "//stage0_dice", "@oak_crates_index//:prost", "@oak_crates_index//:prost-types", diff --git a/oak_attestation_integration_tests/src/create.rs b/oak_attestation_integration_tests/src/create.rs index 91fd7196d0..a0c4b2a193 100644 --- a/oak_attestation_integration_tests/src/create.rs +++ b/oak_attestation_integration_tests/src/create.rs @@ -14,7 +14,6 @@ // limitations under the License. // -use oak_containers_sdk::standalone::StandaloneOrchestrator; use oak_proto_rust::oak::{ attestation::v1::{ binary_reference_value, kernel_binary_reference_value, reference_values, @@ -27,6 +26,7 @@ use oak_proto_rust::oak::{ session::v1::EndorsedEvidence, RawDigest, }; +use oak_sdk_standalone::Standalone; use sha2::Digest; /// Creates reference values that match the supplied digests and images @@ -133,17 +133,13 @@ pub async fn oak_containers_standalone_endorsed_evidence_with_matching_reference application_image, &application_config, ); - let endorsed_evidence = { - let orchestrator = StandaloneOrchestrator::builder() - .stage0_measurements(stage0_measurements) - .stage1_system_image(stage1_system_image) - .application_image(application_image) - .application_config(application_config) - .build() - .expect("failed to create StandaloneOrchestrator"); + let standalone = Standalone::builder() + .stage0_measurements(stage0_measurements) + .stage1_system_image(stage1_system_image) + .application_image(application_image) + .application_config(application_config) + .build() + .expect("failed to create Standalone"); - orchestrator.get_endorsed_evidence() - }; - - (endorsed_evidence, reference_values) + (standalone.endorsed_evidence(), reference_values) } diff --git a/oak_attestation_integration_tests/tests/verifier_tests.rs b/oak_attestation_integration_tests/tests/verifier_tests.rs index 23afa43a61..3faf5f562d 100644 --- a/oak_attestation_integration_tests/tests/verifier_tests.rs +++ b/oak_attestation_integration_tests/tests/verifier_tests.rs @@ -32,6 +32,7 @@ use oak_proto_rust::oak::attestation::{ }, }; use oak_restricted_kernel_sdk::Attester; +use oak_sdk_standalone::Standalone; use prost::Message; // Pretend the tests run at this time: 1 Nov 2023, 9:00 UTC @@ -210,8 +211,10 @@ fn oak_containers_skip_all_reference_values() -> ReferenceValues { #[tokio::test] async fn verify_mock_oak_containers_evidence() { // Create a mock orchestrator and get endorsed evidence - let orchestrator = oak_containers_sdk::standalone::StandaloneOrchestrator::default(); - let endorsed_evidence = orchestrator.get_endorsed_evidence(); + let endorsed_evidence = Standalone::builder() + .build() + .expect("failed to build standalone elements") + .endorsed_evidence(); let evidence = endorsed_evidence.evidence.as_ref().expect("No evidence found"); let endorsements = endorsed_evidence.endorsements.as_ref().expect("No endorsements found"); diff --git a/oak_containers/examples/hello_world/enclave_app/BUILD b/oak_containers/examples/hello_world/enclave_app/BUILD index 90f3e32c20..b91b435b4e 100644 --- a/oak_containers/examples/hello_world/enclave_app/BUILD +++ b/oak_containers/examples/hello_world/enclave_app/BUILD @@ -63,6 +63,7 @@ rust_test( "//oak_proto_rust", "//oak_proto_rust/grpc", "//oak_sdk/server/v1:oak_sdk_server_v1", + "//oak_sdk/standalone:oak_sdk_standalone", "//oak_session", "@oak_crates_index//:anyhow", "@oak_crates_index//:futures", diff --git a/oak_containers/examples/hello_world/enclave_app/tests/standalone_test.rs b/oak_containers/examples/hello_world/enclave_app/tests/standalone_test.rs index 6f6b490dc3..99f79f2385 100644 --- a/oak_containers/examples/hello_world/enclave_app/tests/standalone_test.rs +++ b/oak_containers/examples/hello_world/enclave_app/tests/standalone_test.rs @@ -19,10 +19,10 @@ use anyhow::{Context, Result}; use futures::channel::mpsc; use oak_client::{client::OakClient, verifier::InsecureAttestationVerifier}; use oak_client_tonic::transport::GrpcStreamingTransport; -use oak_containers_sdk::standalone::StandaloneOrchestrator; use oak_hello_world_proto::oak::containers::example::enclave_application_client::EnclaveApplicationClient; use oak_proto_rust::oak::session::v1::{PlaintextMessage, SessionRequest, SessionResponse}; use oak_sdk_server_v1::OakApplicationContext; +use oak_sdk_standalone::Standalone; use oak_session::{ attestation::AttestationType, config::SessionConfig, handshake::HandshakeType, ProtocolEngine, Session, @@ -30,32 +30,33 @@ use oak_session::{ use tokio::net::TcpListener; use tonic::transport::Channel; +const APPLICATION_CONFIG: &[u8] = b"fake_config"; + async fn start_server() -> Result<(SocketAddr, tokio::task::JoinHandle>)> { let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), 0); let listener = TcpListener::bind(addr).await?; let addr = listener.local_addr()?; - let orchestrator = StandaloneOrchestrator::default(); - let encryption_key_handle = orchestrator.get_instance_encryption_key_handle(); - - let endorsed_evidence = orchestrator.get_endorsed_evidence(); - let application_config = orchestrator.get_application_config(); + let standalone = Standalone::builder() + .application_config(APPLICATION_CONFIG.to_vec()) + .build() + .expect("failed to create Oak standalone elements"); Ok(( addr, tokio::spawn(oak_containers_examples_hello_world_enclave_app::app_service::create( listener, OakApplicationContext::new( - Box::new(encryption_key_handle), - endorsed_evidence, + Box::new(standalone.encryption_key_handle()), + standalone.endorsed_evidence(), Box::new( oak_containers_examples_hello_world_enclave_app::app::HelloWorldApplicationHandler { - application_config: application_config.clone(), + application_config: APPLICATION_CONFIG.to_vec(), }, ), ), Box::new(oak_containers_examples_hello_world_enclave_app::app::HelloWorldApplicationHandler { - application_config, + application_config: APPLICATION_CONFIG.to_vec() }), )), )) @@ -90,9 +91,10 @@ async fn test_legacy() { let mut oak_client = OakClient::create(transport, &attestation_verifier).await.unwrap(); // Send single request, see the response + let app_config_len = APPLICATION_CONFIG.len(); assert_eq!( String::from_utf8(oak_client.invoke(b"standalone user").await.unwrap()).unwrap(), - "Hello from the enclave, standalone user! Btw, the app has a config with a length of 4 bytes." + format!("Hello from the enclave, standalone user! Btw, the app has a config with a length of {app_config_len} bytes."), ); } @@ -199,8 +201,9 @@ async fn test_noise() { let decrypted_response = client_session.decrypt_response(&response).expect("failed to decrypt response"); + let app_config_len = APPLICATION_CONFIG.len(); assert_eq!( String::from_utf8(decrypted_response).unwrap(), - "Hello from the enclave, standalone user! Btw, the app has a config with a length of 4 bytes." + format!("Hello from the enclave, standalone user! Btw, the app has a config with a length of {app_config_len} bytes."), ); } diff --git a/oak_containers_sdk/BUILD b/oak_containers_sdk/BUILD index be083d6401..c3930f04c3 100644 --- a/oak_containers_sdk/BUILD +++ b/oak_containers_sdk/BUILD @@ -28,7 +28,6 @@ rust_library( "src/handler.rs", "src/lib.rs", "src/orchestrator_client.rs", - "src/standalone.rs", ], proc_macro_deps = [ "@oak_crates_index//:async-trait", @@ -60,18 +59,3 @@ rust_test( name = "oak_containers_sdk_test", crate = ":oak_containers_sdk", ) - -rust_library( - name = "ffi", - testonly = True, - srcs = [ - "src/ffi/standalone_c.rs", - ], - deps = [ - ":oak_containers_sdk", - "//oak_crypto", - "//oak_proto_rust", - "@oak_crates_index//:anyhow", - "@oak_crates_index//:prost", - ], -) diff --git a/oak_containers_sdk/src/lib.rs b/oak_containers_sdk/src/lib.rs index d8b0006ec5..b2121107a6 100644 --- a/oak_containers_sdk/src/lib.rs +++ b/oak_containers_sdk/src/lib.rs @@ -16,7 +16,6 @@ pub mod crypto; pub mod handler; pub mod orchestrator_client; -pub mod standalone; // Re-export structs so that they are available at the top level of the SDK. pub use crypto::InstanceEncryptionKeyHandle; diff --git a/oak_sdk/common/BUILD b/oak_sdk/common/BUILD index 81aca46175..e247b4840c 100644 --- a/oak_sdk/common/BUILD +++ b/oak_sdk/common/BUILD @@ -27,5 +27,6 @@ rust_library( deps = [ "//oak_sdk/common/attestation:oak_static_attester", "//oak_sdk/common/attestation:oak_static_endorser", + "//oak_sdk/common/crypto:encryption_key_handle", ], ) diff --git a/oak_sdk/common/crypto/BUILD b/oak_sdk/common/crypto/BUILD new file mode 100644 index 0000000000..110f1ae5e5 --- /dev/null +++ b/oak_sdk/common/crypto/BUILD @@ -0,0 +1,34 @@ +# +# Copyright 2024 The Project Oak Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package( + default_visibility = ["//:default_visibility"], + licenses = ["notice"], +) + +rust_library( + name = "encryption_key_handle", + srcs = ["encryption_key_handle.rs"], + proc_macro_deps = [ + "@oak_crates_index//:async-trait", + ], + deps = [ + "//oak_crypto", + "@oak_crates_index//:anyhow", + ], +) diff --git a/oak_sdk/common/crypto/encryption_key_handle.rs b/oak_sdk/common/crypto/encryption_key_handle.rs new file mode 100644 index 0000000000..f49bb86eb6 --- /dev/null +++ b/oak_sdk/common/crypto/encryption_key_handle.rs @@ -0,0 +1,41 @@ +// +// Copyright 2025 The Project Oak Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +use oak_crypto::{ + encryption_key::{AsyncEncryptionKeyHandle, EncryptionKey}, + hpke::RecipientContext, +}; + +/// A simple AsyncEncryptionKeyHandle that generates a new key based on a static +/// key provided at creation. +pub struct StaticEncryptionKeyHandle { + encryption_key: EncryptionKey, +} + +impl StaticEncryptionKeyHandle { + pub fn new(encryption_key: EncryptionKey) -> Self { + Self { encryption_key } + } +} + +#[async_trait::async_trait] +impl AsyncEncryptionKeyHandle for StaticEncryptionKeyHandle { + async fn generate_recipient_context( + &self, + encapsulated_public_key: &[u8], + ) -> anyhow::Result { + self.encryption_key.generate_recipient_context(encapsulated_public_key).await + } +} diff --git a/oak_sdk/common/lib.rs b/oak_sdk/common/lib.rs index 09c6bda20d..d3e2384612 100644 --- a/oak_sdk/common/lib.rs +++ b/oak_sdk/common/lib.rs @@ -14,5 +14,6 @@ // limitations under the License. // +pub use encryption_key_handle::StaticEncryptionKeyHandle; pub use oak_static_attester::StaticAttester; pub use oak_static_endorser::StaticEndorser; diff --git a/oak_sdk/standalone/BUILD b/oak_sdk/standalone/BUILD new file mode 100644 index 0000000000..0fcfffd8dd --- /dev/null +++ b/oak_sdk/standalone/BUILD @@ -0,0 +1,57 @@ +# +# Copyright 2024 The Project Oak Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package( + default_visibility = ["//:default_visibility"], + licenses = ["notice"], +) + +rust_library( + name = "oak_sdk_standalone", + srcs = [ + "standalone.rs", + ], + deps = [ + "//oak_attestation", + "//oak_attestation_types", + "//oak_containers/attestation", + "//oak_crypto", + "//oak_dice", + "//oak_proto_rust", + "//oak_sdk/common:oak_sdk_common", + "//stage0_dice", + "@oak_crates_index//:anyhow", + "@oak_crates_index//:p256", + "@oak_crates_index//:prost", + ], +) + +rust_library( + name = "ffi", + testonly = True, + srcs = [ + "ffi/standalone_c.rs", + ], + deps = [ + ":oak_sdk_standalone", + "//oak_crypto", + "//oak_proto_rust", + "@oak_crates_index//:anyhow", + "@oak_crates_index//:prost", + ], +) diff --git a/oak_containers_sdk/src/ffi/standalone_c.rs b/oak_sdk/standalone/ffi/standalone_c.rs similarity index 93% rename from oak_containers_sdk/src/ffi/standalone_c.rs rename to oak_sdk/standalone/ffi/standalone_c.rs index 60b219e576..d503631037 100644 --- a/oak_containers_sdk/src/ffi/standalone_c.rs +++ b/oak_sdk/standalone/ffi/standalone_c.rs @@ -20,8 +20,8 @@ //! any gaps we have between our current C++ and Rust featureset. use std::os::raw::{c_uchar, c_void}; -use oak_containers_sdk::standalone::StandaloneOrchestrator; use oak_crypto::encryption_key::EncryptionKey; +use oak_sdk_standalone::Standalone; use prost::Message; /// C bindings for generating standalone endorsed evidence. @@ -67,12 +67,12 @@ pub unsafe extern "C" fn standalone_endorsed_evidence( let public_key_bytes = std::slice::from_raw_parts((*public_key).data, (*public_key).len).to_vec(); - let orchestrator = StandaloneOrchestrator::builder() + let endorsed_evidence = Standalone::builder() .encryption_key_pair(Some((private_key, public_key_bytes))) .build() - .expect("failed to build standalone orchestrator"); + .expect("failed to build standalone orchestrator") + .endorsed_evidence(); - let endorsed_evidence = orchestrator.get_endorsed_evidence(); let serialized_endorsed_evidence = Message::encode_to_vec(&endorsed_evidence); let ffi_evidence = Bytes { diff --git a/oak_containers_sdk/src/standalone.rs b/oak_sdk/standalone/standalone.rs similarity index 73% rename from oak_containers_sdk/src/standalone.rs rename to oak_sdk/standalone/standalone.rs index 352cd002b6..63fd821663 100644 --- a/oak_containers_sdk/src/standalone.rs +++ b/oak_sdk/standalone/standalone.rs @@ -1,5 +1,5 @@ // -// Copyright 2024 The Project Oak Authors +// Copyright 2025 The Project Oak Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -27,17 +27,14 @@ use anyhow::{Context, Result}; use oak_attestation::{dice::DiceAttester, ApplicationKeysAttester}; use oak_attestation_types::attester::Attester; use oak_containers_attestation::{InstanceKeys, InstancePublicKeys}; -use oak_crypto::{ - encryption_key::{generate_encryption_key_pair, AsyncEncryptionKeyHandle, EncryptionKey}, - hpke::RecipientContext, -}; +use oak_crypto::encryption_key::{generate_encryption_key_pair, EncryptionKey}; use oak_dice::cert::generate_ecdsa_key_pair; use oak_proto_rust::oak::{ - attestation::v1::{endorsements, Endorsements, Evidence, Stage0Measurements}, - crypto::v1::Signature, + attestation::v1::{endorsements, Endorsements, Stage0Measurements}, session::v1::EndorsedEvidence, }; -use p256::ecdsa::{signature::Signer, SigningKey, VerifyingKey}; +use oak_sdk_common::StaticEncryptionKeyHandle; +use p256::ecdsa::{SigningKey, VerifyingKey}; use prost::Message; /// Default values for StandaloneOrchestrator to measure @@ -45,18 +42,34 @@ const DEFAULT_STAGE1_SYSTEM_IMAGE: &[u8] = &[]; const DEFAULT_APPLICATION_IMAGE: &[u8] = &[]; const DEFAULT_APPLICATION_CONFIG: &[u8] = &[1, 2, 3, 4]; -pub struct StandaloneOrchestrator { - instance_private_keys: oak_containers_attestation::InstanceKeys, - evidence: Evidence, - application_config: Vec, +/// The components needed to run an Oak Standalone instance +pub struct Standalone { + endorsed_evidence: EndorsedEvidence, + encryption_key: EncryptionKey, } -pub struct KeyPair { - pub private: InstanceKeys, - pub public: InstancePublicKeys, +impl Standalone { + fn new(endorsed_evidence: EndorsedEvidence, encryption_key: EncryptionKey) -> Self { + Self { endorsed_evidence, encryption_key } + } + + pub fn builder<'a>() -> StandaloneBuilder<'a> { + StandaloneBuilder::new() + } + + /// The EndorsedEvidence that the instance can use for attestation. + pub fn endorsed_evidence(&self) -> EndorsedEvidence { + self.endorsed_evidence.clone() + } + + /// The encryption key that the application can use to construct a new + /// server encryptor. + pub fn encryption_key_handle(&self) -> StaticEncryptionKeyHandle { + StaticEncryptionKeyHandle::new(self.encryption_key.clone()) + } } -pub struct StandaloneOrchestratorBuilder<'a> { +pub struct StandaloneBuilder<'a> { stage0_measurements: Stage0Measurements, stage1_system_image: &'a [u8], application_image: &'a [u8], @@ -68,15 +81,21 @@ pub struct StandaloneOrchestratorBuilder<'a> { macro_rules! builder_param { ($name:ident: $type:ty) => { - pub fn $name(mut self, value: $type) -> StandaloneOrchestratorBuilder<'a> { + pub fn $name(mut self, value: $type) -> StandaloneBuilder<'a> { self.$name = value; self } }; } -impl<'a> StandaloneOrchestratorBuilder<'a> { - pub fn build(self) -> Result { +impl<'a> Default for StandaloneBuilder<'a> { + fn default() -> Self { + Self::new() + } +} + +impl<'a> StandaloneBuilder<'a> { + pub fn build(self) -> Result { let encryption_key_pair = match self.encryption_key_pair { Some((public, private)) => (public, private), None => generate_encryption_key_pair(), @@ -92,7 +111,7 @@ impl<'a> StandaloneOrchestratorBuilder<'a> { None => generate_ecdsa_key_pair(), }; - StandaloneOrchestrator::create( + Self::create( self.stage0_measurements, self.stage1_system_image, self.application_image, @@ -110,17 +129,9 @@ impl<'a> StandaloneOrchestratorBuilder<'a> { builder_param!(encryption_key_pair: Option<(EncryptionKey, Vec)>); builder_param!(signing_key_pair: Option<(SigningKey, VerifyingKey)>); builder_param!(session_binding_key_pair: Option<(SigningKey, VerifyingKey)>); -} -impl Default for StandaloneOrchestrator { - fn default() -> Self { - Self::builder().build().expect("Failed to create default StandaloneOrchestrator") - } -} - -impl StandaloneOrchestrator { - pub fn builder<'a>() -> StandaloneOrchestratorBuilder<'a> { - StandaloneOrchestratorBuilder { + pub fn new() -> StandaloneBuilder<'a> { + StandaloneBuilder { stage0_measurements: oak_proto_rust::oak::attestation::v1::Stage0Measurements::default( ), stage1_system_image: DEFAULT_STAGE1_SYSTEM_IMAGE, @@ -132,7 +143,7 @@ impl StandaloneOrchestrator { } } - pub fn create( + fn create( root_layer_event: oak_proto_rust::oak::attestation::v1::Stage0Measurements, stage1_system_image: &[u8], application_image: &[u8], @@ -140,7 +151,7 @@ impl StandaloneOrchestrator { encryption_key_pair: (EncryptionKey, Vec), signing_key_pair: (SigningKey, VerifyingKey), session_binding_key_pair: (SigningKey, VerifyingKey), - ) -> Result { + ) -> Result { let (encryption_key, encryption_public_key) = encryption_key_pair; let (signing_key, signing_public_key) = signing_key_pair; let (session_binding_key, session_binding_public_key) = session_binding_key_pair; @@ -202,22 +213,8 @@ impl StandaloneOrchestrator { None, )?; - Ok(Self { instance_private_keys, evidence, application_config }) - } - - pub fn get_instance_encryption_key_handle(&self) -> StandaloneInstanceEncryptionKeyHandle { - StandaloneInstanceEncryptionKeyHandle { - encryption_key: self.instance_private_keys.encryption_key.clone(), - } - } - - pub fn get_instance_signer(&self) -> StandaloneInstanceSigner { - StandaloneInstanceSigner { signing_key: self.instance_private_keys.signing_key.clone() } - } - - pub fn get_endorsed_evidence(&self) -> EndorsedEvidence { - EndorsedEvidence { - evidence: Some(self.evidence.clone()), + Ok(Standalone::new(EndorsedEvidence { + evidence: Some(evidence.clone()), endorsements: Some(Endorsements { r#type: Some(endorsements::Type::OakContainers( oak_proto_rust::oak::attestation::v1::OakContainersEndorsements { @@ -230,36 +227,6 @@ impl StandaloneOrchestrator { // TODO: b/375137648 - Populate `events` proto field. ..Default::default() }), - } - } - - pub fn get_application_config(&self) -> Vec { - self.application_config.clone() - } -} - -pub struct StandaloneInstanceEncryptionKeyHandle { - encryption_key: EncryptionKey, -} - -#[async_trait::async_trait] -impl AsyncEncryptionKeyHandle for StandaloneInstanceEncryptionKeyHandle { - async fn generate_recipient_context( - &self, - encapsulated_public_key: &[u8], - ) -> anyhow::Result { - self.encryption_key.generate_recipient_context(encapsulated_public_key).await - } -} - -pub struct StandaloneInstanceSigner { - signing_key: p256::ecdsa::SigningKey, -} - -#[async_trait::async_trait(?Send)] -impl crate::crypto::Signer for StandaloneInstanceSigner { - async fn sign(&self, message: &[u8]) -> anyhow::Result { - let signature: p256::ecdsa::Signature = self.signing_key.sign(message); - Ok(Signature { signature: signature.to_vec() }) + }, instance_private_keys.encryption_key)) } }