diff --git a/oak_session/src/attestation.rs b/oak_session/src/attestation.rs index 931423c2af0..6e9d35d3435 100644 --- a/oak_session/src/attestation.rs +++ b/oak_session/src/attestation.rs @@ -14,9 +14,14 @@ // limitations under the License. // +//! This module provides an implementation of the Attestation Provider, which +//! handles remote attestation between two parties. + +use alloc::vec::Vec; + use oak_proto_rust::oak::{ attestation::v1::{AttestationResults, Endorsements, Evidence}, - session::v1::EndorsedEvidence, + session::v1::{AttestRequest, AttestResponse, EndorsedEvidence}, }; pub trait Attester { @@ -30,3 +35,74 @@ pub trait AttestationVerifier { endorsements: &Endorsements, ) -> anyhow::Result; } + +#[allow(dead_code)] +struct AttestationProvider<'a> { + self_attesters: Vec<&'a dyn Attester>, + peer_verifiers: Vec<&'a dyn AttestationVerifier>, +} + +impl<'a> AttestationProvider<'a> { + pub fn new( + self_attesters: Vec<&'a dyn Attester>, + peer_verifiers: Vec<&'a dyn AttestationVerifier>, + ) -> Self { + Self { self_attesters, peer_verifiers } + } +} + +/// Client-side Attestation Provider that initiates remote attestation with the +/// server. +#[allow(dead_code)] +pub struct ClientAttestationProvider<'a> { + inner: AttestationProvider<'a>, +} + +impl<'a> ClientAttestationProvider<'a> { + pub fn new( + self_attesters: Vec<&'a dyn Attester>, + peer_verifiers: Vec<&'a dyn AttestationVerifier>, + ) -> Self { + Self { inner: AttestationProvider::new(self_attesters, peer_verifiers) } + } + + pub fn get_request(&self) -> anyhow::Result { + core::unimplemented!(); + } + + pub fn put_response(&self, _response: &AttestResponse) -> anyhow::Result<()> { + core::unimplemented!(); + } + + pub fn get_attestation_results(self) -> Option { + core::unimplemented!(); + } +} + +/// Server-side Attestation Provider that responds to the remote attestation +/// request from the client. +#[allow(dead_code)] +pub struct ServerAttestationProvider<'a> { + inner: AttestationProvider<'a>, +} + +impl<'a> ServerAttestationProvider<'a> { + pub fn new( + self_attesters: Vec<&'a dyn Attester>, + peer_verifiers: Vec<&'a dyn AttestationVerifier>, + ) -> Self { + Self { inner: AttestationProvider::new(self_attesters, peer_verifiers) } + } + + pub fn put_request(&self, _request: &AttestRequest) -> anyhow::Result<()> { + core::unimplemented!(); + } + + pub fn get_response(&self) -> anyhow::Result { + core::unimplemented!(); + } + + pub fn get_attestation_results(self) -> Option { + core::unimplemented!(); + } +} diff --git a/oak_session/src/handshake.rs b/oak_session/src/handshake.rs new file mode 100644 index 00000000000..d253d011b3e --- /dev/null +++ b/oak_session/src/handshake.rs @@ -0,0 +1,107 @@ +// +// Copyright 2024 The Project Oak Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +//! This module provides an implementation of the Handshaker, which +//! handles cryptographic handshake and secure session creation. + +use alloc::vec::Vec; + +use oak_proto_rust::oak::{ + crypto::v1::SessionKeys, + session::v1::{HandshakeRequest, HandshakeResponse}, +}; + +pub trait EncryptionKeyHandle { + fn derive_session_keys( + &self, + static_peer_public_key: &[u8], + ephemeral_peer_public_key: &[u8], + ) -> anyhow::Result; +} + +pub enum HandshakeType { + NoiseKK, + NoiseNK, +} + +/// Client-side Handshaker that initiates the crypto handshake with the server. +#[allow(dead_code)] +pub struct ClientHandshaker<'a> { + handshake_type: HandshakeType, + self_static_private_key: Option<&'a dyn EncryptionKeyHandle>, + peer_static_public_key: Option>, +} + +impl<'a> ClientHandshaker<'a> { + pub fn new( + handshake_type: HandshakeType, + self_static_private_key: Option<&'a dyn EncryptionKeyHandle>, + peer_static_public_key: Option<&[u8]>, + ) -> Self { + Self { + handshake_type, + self_static_private_key, + peer_static_public_key: peer_static_public_key.map(|k| k.to_vec()), + } + } + + pub fn get_request(&mut self) -> anyhow::Result { + core::unimplemented!(); + } + + pub fn put_response(&mut self, _response: HandshakeResponse) -> anyhow::Result<()> { + core::unimplemented!(); + } + + pub fn derive_session_keys(self) -> Option { + core::unimplemented!(); + } +} + +/// Server-side Attestation Provider that responds to the crypto handshake +/// request from the client. +#[allow(dead_code)] +pub struct ServerHandshaker<'a> { + handshake_type: HandshakeType, + self_static_private_key: Option<&'a dyn EncryptionKeyHandle>, + peer_static_public_key: Option>, +} + +impl<'a> ServerHandshaker<'a> { + pub fn new( + handshake_type: HandshakeType, + self_static_private_key: Option<&'a dyn EncryptionKeyHandle>, + peer_static_public_key: Option<&[u8]>, + ) -> Self { + Self { + handshake_type, + self_static_private_key, + peer_static_public_key: peer_static_public_key.map(|k| k.to_vec()), + } + } + + pub fn put_request(&mut self, _request: HandshakeRequest) -> anyhow::Result<()> { + core::unimplemented!(); + } + + pub fn get_response(&mut self) -> anyhow::Result { + core::unimplemented!(); + } + + pub fn derive_session_keys(self) -> Option { + core::unimplemented!(); + } +} diff --git a/oak_session/src/lib.rs b/oak_session/src/lib.rs index 18ce2e877d6..43b15bfc0ad 100644 --- a/oak_session/src/lib.rs +++ b/oak_session/src/lib.rs @@ -23,6 +23,7 @@ extern crate std; pub mod attestation; pub mod config; +pub mod handshake; mod session; pub use session::{ClientSession, ServerSession, Session};