Add oak_attestation_types crate

This crate will be a shared dependency for all attestation related
crates and SDKs.

Bug: 370732705
Change-Id: I935a5ca32d505e11cc0b0248a437fcc981b3dd62

Cargo.toml

@@ -9,7 +9,9 @@ members = [
   "oak_attestation",
   "oak_attestation_explain",
   "oak_attestation_explain_wasm",
+  "oak_attestation_types",
   "oak_attestation_verification",
+  "oak_attestation_verification_types",
   "oak_channel",
   "oak_client",
   "oak_client/tonic",
@@ -102,7 +104,9 @@ micro_rpc = { path = "./micro_rpc" }
 micro_rpc_build = { path = "./micro_rpc_build" }
 oak_attestation = { path = "./oak_attestation" }
 oak_attestation_explain = { path = "./oak_attestation_explain" }
+oak_attestation_types = { path = "./oak_attestation_types" }
 oak_attestation_verification = { path = "./oak_attestation_verification" }
+oak_attestation_verification_types = { path = "./oak_attestation_verification_types" }
 oak_channel = { path = "./oak_channel" }
 oak_client = { path = "./oak_client" }
 oak_client_tonic = { path = "./oak_client/tonic" }

oak_attestation_types/BUILD

@@ -0,0 +1,36 @@
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+load("@rules_rust//rust:defs.bzl", "rust_library")
+load("//bazel:defs.bzl", "either_platform")
+
+package(
+    default_visibility = ["//:default_visibility"],
+    licenses = ["notice"],
+)
+
+rust_library(
+    name = "oak_attestation_types",
+    srcs = glob(["src/**"]),
+    target_compatible_with = either_platform([
+        "//:x86_64-linux-setting",
+        "//:x86_64-none-no_avx-setting",
+        "//:x86_64-none-setting",
+    ]),
+    deps = [
+        "//oak_proto_rust",
+        "@oak_crates_index//:anyhow",
+    ],
+)

oak_attestation_types/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "oak_attestation_types"
+version = "0.1.0"
+authors = ["Ivan Petrov <[email protected]>"]
+edition = "2021"
+license = "Apache-2.0"
+
+[dependencies]
+anyhow = { version = "*", default-features = false }
+oak_proto_rust = { workspace = true }

oak_attestation_types/src/attester.rs

@@ -0,0 +1,33 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+use oak_proto_rust::oak::attestation::v1::Evidence;
+
+/// Trait that provides the ability to build an attestation evidence.
+///
+/// <https://datatracker.ietf.org/doc/html/rfc9334#name-attester>
+pub trait Attester: Send + Sync {
+    /// Add a new event to the evidence.
+    fn extend(&mut self, encoded_event: &[u8]) -> anyhow::Result<()>;
+
+    /// Generate a signed evidence containing all events previously provided
+    /// with `extend`.
+    ///
+    /// This function doesn't take a mutable reference because quoting shouldn't
+    /// change the evidence. Evidence can only be updated via the `extend`
+    /// function.
+    fn quote(&self) -> anyhow::Result<Evidence>;
+}

oak_attestation_types/src/endorser.rs

@@ -0,0 +1,28 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+use oak_proto_rust::oak::attestation::v1::{Endorsements, Evidence};
+
+/// Trait that provides the ability to read attestation endorsements.
+///
+/// <https://datatracker.ietf.org/doc/html/rfc9334#name-endorser-reference-value-pr>
+pub trait Endorser: Send + Sync {
+    /// Generate an endorsement.
+    ///
+    /// Evidence argument is optional since it may be required for endorsement
+    /// generation in some use-cases.
+    fn endorse(&self, evidence: Option<&Evidence>) -> anyhow::Result<Endorsements>;
+}

oak_attestation_types/src/lib.rs

@@ -0,0 +1,23 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#![no_std]
+
+extern crate alloc;
+
+pub mod attester;
+pub mod endorser;
+pub mod util;

oak_attestation_types/src/util.rs

@@ -0,0 +1,27 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+use alloc::vec::Vec;
+
+/// Trait for passing incomplete evidence between layers of software components.
+///
+/// For example, in DICE it is used to pass the DiceData containing the
+/// certificate authority private key, and for TDX it is used to pass an
+/// unfinished EventLog.
+pub trait Serializable: Sized {
+    fn deserialize(bytes: &[u8]) -> anyhow::Result<Self>;
+    fn serialize(self) -> Vec<u8>;
+}

oak_attestation_verification_types/BUILD

@@ -0,0 +1,36 @@
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+load("@rules_rust//rust:defs.bzl", "rust_library")
+load("//bazel:defs.bzl", "either_platform")
+
+package(
+    default_visibility = ["//:default_visibility"],
+    licenses = ["notice"],
+)
+
+rust_library(
+    name = "oak_attestation_verification_types",
+    srcs = glob(["src/**"]),
+    target_compatible_with = either_platform([
+        "//:x86_64-linux-setting",
+        "//:x86_64-none-no_avx-setting",
+        "//:x86_64-none-setting",
+    ]),
+    deps = [
+        "//oak_proto_rust",
+        "@oak_crates_index//:anyhow",
+    ],
+)

oak_attestation_verification_types/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "oak_attestation_verification_types"
+version = "0.1.0"
+authors = ["Ivan Petrov <[email protected]>"]
+edition = "2021"
+license = "Apache-2.0"
+
+[dependencies]
+anyhow = { version = "*", default-features = false }
+oak_proto_rust = { workspace = true }

oak_attestation_verification_types/src/lib.rs

@@ -0,0 +1,23 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#![no_std]
+
+extern crate alloc;
+
+pub mod policy;
+pub mod util;
+pub mod verifier;

oak_attestation_verification_types/src/policy.rs

@@ -0,0 +1,43 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+use oak_proto_rust::oak::attestation::v1::{
+    AttestationResults, EventAttestationResults, EventEndorsements, EventLog,
+};
+
+/// Verification Policy that takes an EventLog and corresponding Event
+/// Endorsements and performs attestation verification.
+///
+/// Verification Policy correspond to the "Appraisal Policy for Evidence"
+/// provided by the RATS standard.
+/// <https://datatracker.ietf.org/doc/html/rfc9334#section-8.5>
+pub trait Policy: Send + Sync {
+    fn verify(
+        &self,
+        event_log: &EventLog,
+        event_endorsements: &EventEndorsements,
+    ) -> anyhow::Result<AttestationResults>;
+}
+
+/// Verification Policy that takes an encoded Event and an encoded Event
+/// Endorsement and performs attestation verification for this specific Event.
+pub trait EventPolicy: Send + Sync {
+    fn verify(
+        &self,
+        encoded_event: &[u8],
+        encoded_event_endorsement: &[u8],
+    ) -> anyhow::Result<EventAttestationResults>;
+}

oak_attestation_verification_types/src/util.rs

@@ -0,0 +1,21 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+/// Trait for the time related functionality.
+pub trait Clock: Send + Sync {
+    /// Return time in milliseconds since epoch.
+    fn get_current_time_ms(&self) -> i64;
+}

oak_attestation_verification_types/src/verifier.rs

@@ -0,0 +1,29 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+use oak_proto_rust::oak::attestation::v1::{AttestationResults, Endorsements, Evidence};
+
+/// Trait that provides the functionality for appraising the attestation
+/// evidence and endorsements and producing attestation results.
+///
+/// <https://datatracker.ietf.org/doc/html/rfc9334#name-verifier>
+pub trait AttestationVerifier: Send + Sync {
+    fn verify(
+        &self,
+        evidence: &Evidence,
+        endorsements: &Endorsements,
+    ) -> anyhow::Result<AttestationResults>;
+}