Add Session Binder to Restricted Kernel SDK

Fixes: 372215673 Change-Id: I04a3e4c75cb52fa4086b75507ac608ade4016afa
project-oak · Oct 12, 2024 · 57af88a · 57af88a
1 parent fcb7638
commit 57af88a
Show file tree

Hide file tree

Showing 5 changed files with 134 additions and 5 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/enclave_apps/Cargo.lock b/enclave_apps/Cargo.lock
diff --git a/oak_restricted_kernel_sdk/BUILD b/oak_restricted_kernel_sdk/BUILD
@@ -48,6 +48,7 @@ rust_library(
         "//oak_proto_rust",
         "//oak_restricted_kernel_dice",
         "//oak_restricted_kernel_interface",
+        "//oak_session",
         "//stage0_dice",
         "@oak_crates_index//:anyhow",
         "@oak_crates_index//:lazy_static",

diff --git a/oak_restricted_kernel_sdk/Cargo.toml b/oak_restricted_kernel_sdk/Cargo.toml
@@ -22,6 +22,7 @@ oak_restricted_kernel_interface = { workspace = true }
 oak_enclave_runtime_support = { default-features = false, workspace = true }
 oak_restricted_kernel_sdk_proc_macro = { workspace = true }
 oak_restricted_kernel_dice = { workspace = true, optional = true }
+oak_session = { workspace = true }
 oak_stage0_dice = { workspace = true, optional = true }
 p256 = { version = "*", default-features = false, features = ["ecdsa"] }
 prost = { version = "*", default-features = false }

diff --git a/oak_restricted_kernel_sdk/src/crypto.rs b/oak_restricted_kernel_sdk/src/crypto.rs
@@ -17,13 +17,15 @@
 //! Structs for signing and encryption using keys attested in the instance's
 //! attestation evidence.
 
-use alloc::vec::Vec;
+use alloc::{boxed::Box, vec::Vec};
 
+use anyhow::Context;
 use oak_crypto::{
     encryption_key::{EncryptionKey, EncryptionKeyHandle},
     hpke::RecipientContext,
     signer::Signer,
 };
+use oak_session::session_binding::{SessionBinder, SignatureBinder, SignatureBinderBuilder};
 use p256::ecdsa::SigningKey;
 
 /// [`EncryptionKeyHandle`] implementation that using the instance's evidence
@@ -72,3 +74,27 @@ impl Signer for InstanceSigner {
         <SigningKey as oak_crypto::signer::Signer>::sign(self.key, message)
     }
 }
+
+pub struct InstanceSessionBinder {
+    signature_binder: SignatureBinder,
+}
+
+impl InstanceSessionBinder {
+    pub fn create() -> anyhow::Result<Self> {
+        // TODO: b/368030563 - Add a separate session binding key and use it instead
+        // of signing key.
+        let signer = InstanceSigner::create().context("couldn't get binding key")?;
+
+        let signature_binder = SignatureBinderBuilder::default()
+            .signer(Box::new(signer))
+            .build()
+            .map_err(anyhow::Error::msg)?;
+        Ok(Self { signature_binder })
+    }
+}
+
+impl SessionBinder for InstanceSessionBinder {
+    fn bind(&self, bound_data: &[u8]) -> Vec<u8> {
+        self.signature_binder.bind(bound_data)
+    }
+}