From 9e03deaae70446787671ad62ec876d3dd86cdb86 Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Fri, 9 Feb 2024 17:40:20 +0000 Subject: [PATCH] Merge Rust EncryptionKeyProvider and KeyPair (#4771) This PR: - Merges `oak_crypto::encryptor::EncryptionKeyProvider` and `oak_crypto::hpke::KeyPair` into `oak_crypto::encryption_key::EncryptionKey` - Implements serialization/deserialization - Implements encryping the private key for Key Provisioning. - Removes public keys from `EncryptionKey` struct (it's only used to be put into the evidence) Ref https://github.com/project-oak/oak/issues/4513 --- Cargo.lock | 2 +- enclave_apps/Cargo.lock | 2 +- micro_rpc_workspace_test/Cargo.lock | 116 -------------- oak_attestation/src/attester.rs | 12 +- oak_attestation/src/handler.rs | 6 +- oak_containers_orchestrator/src/crypto.rs | 141 ++++++++---------- oak_containers_orchestrator/src/ipc_server.rs | 7 +- .../src/key_provisioning.rs | 23 ++- oak_containers_orchestrator/src/main.rs | 31 ++-- oak_containers_sdk/src/crypto.rs | 2 +- oak_crypto/Cargo.toml | 2 +- oak_crypto/src/encryption_key.rs | 113 ++++++++++++++ oak_crypto/src/encryptor.rs | 120 +-------------- oak_crypto/src/hpke/mod.rs | 44 +----- oak_crypto/src/lib.rs | 3 + oak_crypto/src/tests.rs | 38 +++-- oak_functions_containers_app/src/lib.rs | 2 +- .../tests/integration_test.rs | 6 +- oak_functions_enclave_service/src/lib.rs | 2 +- oak_restricted_kernel_bin/Cargo.lock | 2 +- oak_restricted_kernel_dice/src/lib.rs | 12 +- .../src/instance_attestation.rs | 11 +- oak_restricted_kernel_sdk/src/lib.rs | 6 +- .../src/mock_attestation.rs | 4 +- 24 files changed, 277 insertions(+), 430 deletions(-) create mode 100644 oak_crypto/src/encryption_key.rs diff --git a/Cargo.lock b/Cargo.lock index 7637de68cdf..476d9e052b7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2440,12 +2440,12 @@ dependencies = [ "hkdf", "hpke", "micro_rpc_build", - "oak_dice", "p256", "prost", "rand_core", "sha2", "tokio", + "zeroize", ] [[package]] diff --git a/enclave_apps/Cargo.lock b/enclave_apps/Cargo.lock index d7c81db80b9..653f1419a34 100644 --- a/enclave_apps/Cargo.lock +++ b/enclave_apps/Cargo.lock @@ -718,11 +718,11 @@ dependencies = [ "hkdf", "hpke", "micro_rpc_build", - "oak_dice", "p256", "prost", "rand_core", "sha2", + "zeroize", ] [[package]] diff --git a/micro_rpc_workspace_test/Cargo.lock b/micro_rpc_workspace_test/Cargo.lock index 6b0e6694cbd..d1e47f1aa34 100644 --- a/micro_rpc_workspace_test/Cargo.lock +++ b/micro_rpc_workspace_test/Cargo.lock @@ -256,33 +256,6 @@ dependencies = [ "zeroize", ] -[[package]] -name = "ciborium" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "effd91f6c78e5a4ace8a5d3c0b6bfaec9e2baaef55f3efc00e45fb2e477ee926" -dependencies = [ - "ciborium-io", - "ciborium-ll", - "serde", -] - -[[package]] -name = "ciborium-io" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cdf919175532b369853f5d5e20b26b43112613fd6fe7aee757e35f7a44642656" - -[[package]] -name = "ciborium-ll" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "defaa24ecc093c77630e6c15e17c51f5e187bf35ee514f4e2d67baaa96dae22b" -dependencies = [ - "ciborium-io", - "half", -] - [[package]] name = "cipher" version = "0.4.4" @@ -300,16 +273,6 @@ version = "0.9.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" -[[package]] -name = "coset" -version = "0.3.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99c214bbc5c8b4518856d79cae4d323feaa881ecf3e31b5af6572bb5313c11d5" -dependencies = [ - "ciborium", - "ciborium-io", -] - [[package]] name = "cpufeatures" version = "0.2.11" @@ -595,12 +558,6 @@ dependencies = [ "tracing", ] -[[package]] -name = "half" -version = "1.8.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eabb4a44450da02c90444cf74558da904edde8fb4e9035a9a6a4e15445af0bd7" - [[package]] name = "hashbrown" version = "0.12.3" @@ -619,12 +576,6 @@ version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" -[[package]] -name = "hex" -version = "0.4.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" - [[package]] name = "hkdf" version = "0.12.4" @@ -888,28 +839,10 @@ dependencies = [ "hkdf", "hpke", "micro_rpc_build", - "oak_dice", "p256", "prost", "rand_core", "sha2", -] - -[[package]] -name = "oak_dice" -version = "0.1.0" -dependencies = [ - "bitflags 2.4.1", - "ciborium", - "coset", - "hex", - "hkdf", - "p256", - "rand_core", - "sha2", - "static_assertions", - "strum", - "zerocopy", "zeroize", ] @@ -1342,34 +1275,6 @@ dependencies = [ "der", ] -[[package]] -name = "static_assertions" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" - -[[package]] -name = "strum" -version = "0.25.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125" -dependencies = [ - "strum_macros", -] - -[[package]] -name = "strum_macros" -version = "0.25.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23dc1fa9ac9c169a78ba62f0b841814b7abae11bdd047b9c58f893439e309ea0" -dependencies = [ - "heck", - "proc-macro2", - "quote", - "rustversion", - "syn", -] - [[package]] name = "subtle" version = "2.5.0" @@ -1762,27 +1667,6 @@ dependencies = [ "rand_core", ] -[[package]] -name = "zerocopy" -version = "0.7.32" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74d4d3961e53fa4c9a25a8637fc2bfaf2595b3d3ae34875568a5cf64787716be" -dependencies = [ - "byteorder", - "zerocopy-derive", -] - -[[package]] -name = "zerocopy-derive" -version = "0.7.32" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9ce1b18ccd8e73a9321186f97e46f9f04b778851177567b1975109d26a08d2a6" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - [[package]] name = "zeroize" version = "1.7.0" diff --git a/oak_attestation/src/attester.rs b/oak_attestation/src/attester.rs index 00d2cdec1cc..894cf9dfc78 100644 --- a/oak_attestation/src/attester.rs +++ b/oak_attestation/src/attester.rs @@ -17,7 +17,6 @@ use alloc::{sync::Arc, vec::Vec}; use anyhow::Context; -use oak_crypto::encryptor::EncryptionKeyProvider; use crate::proto::oak::session::v1::AttestationEvidence; @@ -47,31 +46,30 @@ impl AttestationReportGenerator for EmptyAttestationReportGenerator { /// pub struct Attester { attestation_report_generator: Arc, - encryption_key_provider: Arc, + encryption_public_key: Vec, } impl Attester { pub fn new( attestation_report_generator: Arc, - encryption_key_provider: Arc, + encryption_public_key: &[u8], ) -> Self { Self { attestation_report_generator, - encryption_key_provider, + encryption_public_key: encryption_public_key.to_vec(), } } /// Generate an attestation evidence containing a remote attestation report and ensuring that /// `attested_data` is cryptographically bound to the result (e.g. via a signature). pub fn generate_attestation_evidence(&self) -> anyhow::Result { - let encryption_public_key = self.encryption_key_provider.get_serialized_public_key(); let attestation_report = self .attestation_report_generator - .generate_attestation_report(&encryption_public_key) + .generate_attestation_report(&self.encryption_public_key) .context("couldn't generate attestation report")?; Ok(AttestationEvidence { attestation: attestation_report, - encryption_public_key, + encryption_public_key: self.encryption_public_key.to_vec(), // TODO(#3836): Implement signature generation and add the signing key. signing_public_key: Vec::new(), // TODO(#3640): Sign application data. diff --git a/oak_attestation/src/handler.rs b/oak_attestation/src/handler.rs index 7119ae39cdd..6f7afc2fd80 100644 --- a/oak_attestation/src/handler.rs +++ b/oak_attestation/src/handler.rs @@ -19,12 +19,12 @@ use core::future::Future; use anyhow::Context; use oak_crypto::{ - encryptor::{AsyncEncryptionKeyHandle, EncryptionKeyHandle, ServerEncryptor}, + encryption_key::{AsyncEncryptionKeyHandle, EncryptionKeyHandle}, + encryptor::ServerEncryptor, proto::oak::crypto::v1::{EncryptedRequest, EncryptedResponse}, + EMPTY_ASSOCIATED_DATA, }; -const EMPTY_ASSOCIATED_DATA: &[u8] = b""; - /// Information about a public key. #[derive(Debug, Clone)] pub struct PublicKeyInfo { diff --git a/oak_containers_orchestrator/src/crypto.rs b/oak_containers_orchestrator/src/crypto.rs index 5bd03503254..e5bef0d3b15 100644 --- a/oak_containers_orchestrator/src/crypto.rs +++ b/oak_containers_orchestrator/src/crypto.rs @@ -15,12 +15,13 @@ use std::sync::Arc; -use anyhow::{anyhow, Context}; -use hpke::{kem::X25519HkdfSha256, Deserializable, Kem}; +use anyhow::Context; use oak_crypto::{ - encryptor::{ClientEncryptor, EncryptionKeyHandle, EncryptionKeyProvider, ServerEncryptor}, + encryption_key::{generate_encryption_key_pair, EncryptionKey, EncryptionKeyHandle}, + encryptor::ServerEncryptor, proto::oak::crypto::v1::EncryptedRequest, }; +use oak_dice::cert::generate_ecdsa_key_pair; use tonic::{Request, Response}; use crate::proto::oak::{ @@ -28,113 +29,97 @@ use crate::proto::oak::{ orchestrator_crypto_server::OrchestratorCrypto, DeriveSessionKeysRequest, DeriveSessionKeysResponse, KeyOrigin, SignRequest, SignResponse, }, - key_provisioning::v1::GroupKeys, + key_provisioning::v1::GroupKeys as GroupKeysProto, }; -const EMPTY_ASSOCIATED_DATA: &[u8] = b""; - -/// An implementation of the Key Store without group keys. -pub struct InstanceKeyStore { - // TODO(#4507): Remove `Arc` once the key is no longer required by the `Attester`. - instance_encryption_key: Arc, - instance_signing_key: p256::ecdsa::SigningKey, +pub fn generate_instance_keys() -> (InstanceKeys, InstancePublicKeys) { + let (encryption_key, encryption_public_key) = generate_encryption_key_pair(); + let (signing_key, signing_public_key) = generate_ecdsa_key_pair(); + ( + InstanceKeys { + encryption_key, + signing_key, + }, + InstancePublicKeys { + encryption_public_key, + signing_public_key, + }, + ) } -impl InstanceKeyStore { - pub fn new(instance_signing_key: p256::ecdsa::SigningKey) -> Self { - Self { - instance_encryption_key: Arc::new(EncryptionKeyProvider::generate()), - instance_signing_key, - } - } - - pub fn instance_encryption_key(&self) -> Arc { - // TODO(#4442): Currently we have to give the encryption key provider to the `ipc_server`. - // Once we move all enclave apps to the new crypto service and update the `Attester` to not - // have the private key - this function should be removed. - self.instance_encryption_key.clone() - } +pub struct InstanceKeys { + encryption_key: EncryptionKey, + signing_key: p256::ecdsa::SigningKey, +} - pub fn instance_encryption_public_key(&self) -> Vec { - self.instance_encryption_key.get_serialized_public_key() - } +pub struct InstancePublicKeys { + pub encryption_public_key: Vec, + pub signing_public_key: p256::ecdsa::VerifyingKey, +} - pub fn generate_group_keys(self) -> KeyStore { - KeyStore { - instance_encryption_key: self.instance_encryption_key, - group_encryption_key: EncryptionKeyProvider::generate(), - instance_signing_key: self.instance_signing_key, - } +impl InstanceKeys { + pub fn generate_group_keys(&self) -> (GroupKeys, GroupPublicKeys) { + let (group_encryption_key, group_encryption_public_key) = generate_encryption_key_pair(); + ( + GroupKeys { + encryption_key: group_encryption_key, + }, + GroupPublicKeys { + encryption_public_key: group_encryption_public_key, + }, + ) } - pub fn provide_group_keys(self, group_keys: GroupKeys) -> anyhow::Result { + pub fn provide_group_keys(&self, group_keys: GroupKeysProto) -> anyhow::Result { // Create server encryptor for decrypting the group keys received from the leader enclave. let encrypted_encryption_private_key = group_keys .encrypted_encryption_private_key .context("encrypted encryption key wasn't provided")?; // Decrypt group keys. - let (_, decrypted_encryption_private_key, _) = ServerEncryptor::decrypt( - &encrypted_encryption_private_key, - self.instance_encryption_key.as_ref(), - ) - .context("couldn't decrypt the encryption private key")?; - - // Parse private key and derive public key. - // TODO(#4513): We shouldn't store the public key, only the private key. - let encryption_private_key = - ::PrivateKey::from_bytes(&decrypted_encryption_private_key) - .map_err(|err| anyhow!("couldn't deserialize private key: {:?}", err))?; - let encryption_public_key = X25519HkdfSha256::sk_to_pk(&encryption_private_key); + let (_, mut decrypted_encryption_private_key, _) = + ServerEncryptor::decrypt(&encrypted_encryption_private_key, &self.encryption_key) + .context("couldn't decrypt the encryption private key")?; + let group_encryption_key = - EncryptionKeyProvider::new(encryption_private_key, encryption_public_key); + EncryptionKey::deserialize(&mut decrypted_encryption_private_key) + .context("couldn't deserialize private key")?; - // Add group keys to the Orchestrator key store. - Ok(KeyStore { - instance_encryption_key: self.instance_encryption_key, - instance_signing_key: self.instance_signing_key, - group_encryption_key, + Ok(GroupKeys { + encryption_key: group_encryption_key, }) } } -/// An implementation of the Key Store with initialized group keys. -pub struct KeyStore { - // TODO(#4507): Remove `Arc` once the key is no longer required by the `Attester`. - instance_encryption_key: Arc, - instance_signing_key: p256::ecdsa::SigningKey, - group_encryption_key: EncryptionKeyProvider, +pub struct GroupKeys { + encryption_key: EncryptionKey, } -impl KeyStore { - pub fn instance_encryption_key(&self) -> Arc { - // TODO(#4442): Currently we have to give the encryption key provider to the `ipc_server`. - // Once we move all enclave apps to the new crypto service and update the `Attester` to not - // have the private key - this function should be removed. - self.instance_encryption_key.clone() - } +pub struct GroupPublicKeys { + pub encryption_public_key: Vec, +} +impl GroupKeys { /// Returns group encryption private key which was encrypted with the `peer_public_key`. pub fn encrypted_group_encryption_key( &self, peer_public_key: &[u8], ) -> anyhow::Result { - let mut client_encryptor = - ClientEncryptor::create(peer_public_key).context("couldn't create client encryptor")?; - client_encryptor.encrypt( - &self.group_encryption_key.get_private_key(), - EMPTY_ASSOCIATED_DATA, - ) + self.encryption_key.encrypted_private_key(peer_public_key) } } pub(crate) struct CryptoService { - key_store: Arc, + instance_keys: InstanceKeys, + group_keys: Arc, } impl CryptoService { - pub(crate) fn new(key_store: Arc) -> Self { - Self { key_store } + pub(crate) fn new(instance_keys: InstanceKeys, group_keys: Arc) -> Self { + Self { + instance_keys, + group_keys, + } } fn signing_key( @@ -145,7 +130,7 @@ impl CryptoService { KeyOrigin::Unspecified => { Err(tonic::Status::invalid_argument("unspecified key origin"))? } - KeyOrigin::Instance => Ok(&self.key_store.instance_signing_key), + KeyOrigin::Instance => Ok(&self.instance_keys.signing_key), KeyOrigin::Group => // TODO(#4442): Implement with key provisioning. { @@ -169,8 +154,8 @@ impl OrchestratorCrypto for CryptoService { KeyOrigin::Unspecified => { Err(tonic::Status::invalid_argument("unspecified key origin"))? } - KeyOrigin::Instance => &self.key_store.instance_encryption_key, - KeyOrigin::Group => &self.key_store.group_encryption_key, + KeyOrigin::Instance => &self.instance_keys.encryption_key, + KeyOrigin::Group => &self.group_keys.encryption_key, }; let session_keys = encryption_key diff --git a/oak_containers_orchestrator/src/ipc_server.rs b/oak_containers_orchestrator/src/ipc_server.rs index a37dbdab918..eb242dbbc09 100644 --- a/oak_containers_orchestrator/src/ipc_server.rs +++ b/oak_containers_orchestrator/src/ipc_server.rs @@ -22,7 +22,7 @@ use tokio_util::sync::CancellationToken; use tonic::{transport::Server, Request, Response}; use crate::{ - crypto::{CryptoService, KeyStore}, + crypto::{CryptoService, GroupKeys, InstanceKeys}, launcher_client::LauncherClient, proto::oak::containers::{ orchestrator_server::{Orchestrator, OrchestratorServer}, @@ -58,7 +58,8 @@ impl Orchestrator for ServiceImplementation { pub async fn create

( socket_address: P, - key_store: Arc, + instance_keys: InstanceKeys, + group_keys: Arc, application_config: Vec, launcher_client: Arc, cancellation_token: CancellationToken, @@ -71,7 +72,7 @@ where application_config, launcher_client, }; - let crypto_service_instance = CryptoService::new(key_store); + let crypto_service_instance = CryptoService::new(instance_keys, group_keys); let uds = UnixListener::bind(socket_address.clone()) .context("could not bind to the supplied address")?; diff --git a/oak_containers_orchestrator/src/key_provisioning.rs b/oak_containers_orchestrator/src/key_provisioning.rs index 524333740fe..664720183db 100644 --- a/oak_containers_orchestrator/src/key_provisioning.rs +++ b/oak_containers_orchestrator/src/key_provisioning.rs @@ -22,20 +22,20 @@ use tokio_util::sync::CancellationToken; use tonic::{transport::Server, Request, Response}; use crate::{ - crypto::KeyStore, + crypto::GroupKeys, proto::oak::key_provisioning::v1::{ key_provisioning_server::{KeyProvisioning, KeyProvisioningServer}, - GetGroupKeysRequest, GetGroupKeysResponse, GroupKeys, + GetGroupKeysRequest, GetGroupKeysResponse, GroupKeys as GroupKeysProto, }, }; struct KeyProvisioningService { - key_store: Arc, + group_keys: Arc, } impl KeyProvisioningService { - pub fn new(key_store: Arc) -> Self { - Self { key_store } + pub fn new(group_keys: Arc) -> Self { + Self { group_keys } } } @@ -62,26 +62,25 @@ impl KeyProvisioning for KeyProvisioningService { // Encrypt group keys. let encrypted_encryption_private_key = self - .key_store + .group_keys .encrypted_group_encryption_key(&attestation_results.encryption_public_key) .map_err(|err| { tonic::Status::internal(format!("couldn't encrypt encryption private key: {err}")) })?; - let group_keys = GroupKeys { - encrypted_encryption_private_key: Some(encrypted_encryption_private_key), - }; Ok(tonic::Response::new(GetGroupKeysResponse { - group_keys: Some(group_keys), + group_keys: Some(GroupKeysProto { + encrypted_encryption_private_key: Some(encrypted_encryption_private_key), + }), })) } } pub async fn create( address: &str, - key_store: Arc, + group_keys: Arc, cancellation_token: CancellationToken, ) -> Result<(), anyhow::Error> { - let key_provisioning_service_instance = KeyProvisioningService::new(key_store); + let key_provisioning_service_instance = KeyProvisioningService::new(group_keys); let listener = TcpListener::bind(address).await?; diff --git a/oak_containers_orchestrator/src/main.rs b/oak_containers_orchestrator/src/main.rs index 054bdbe22b5..81992f90db4 100644 --- a/oak_containers_orchestrator/src/main.rs +++ b/oak_containers_orchestrator/src/main.rs @@ -19,10 +19,9 @@ use anyhow::{anyhow, Context}; use clap::Parser; use oak_attestation::attester::{Attester, EmptyAttestationReportGenerator}; use oak_containers_orchestrator::{ - crypto::InstanceKeyStore, launcher_client::LauncherClient, + crypto::generate_instance_keys, launcher_client::LauncherClient, proto::oak::containers::v1::KeyProvisioningRole, }; -use oak_dice::cert::generate_ecdsa_key_pair; use tokio_util::sync::CancellationToken; #[global_allocator] @@ -73,19 +72,18 @@ async fn main() -> anyhow::Result<()> { &container_bundle, &application_config, ); - let (signing_key, verifying_key) = generate_ecdsa_key_pair(); - let instance_key_store = InstanceKeyStore::new(signing_key); + let (instance_keys, instance_public_keys) = generate_instance_keys(); let dice_evidence = dice_builder.add_application_keys( additional_claims, - &instance_key_store.instance_encryption_public_key(), - &verifying_key, + &instance_public_keys.encryption_public_key, + &instance_public_keys.signing_public_key, )?; // TODO(#4074): Remove once DICE attestation is fully implemented. let attestation_report_generator = Arc::new(EmptyAttestationReportGenerator); let attester = Attester::new( attestation_report_generator, - instance_key_store.instance_encryption_key(), + &instance_public_keys.encryption_public_key, ); let evidence = attester .generate_attestation_evidence() @@ -103,16 +101,20 @@ async fn main() -> anyhow::Result<()> { .get_key_provisioning_role() .await .map_err(|error| anyhow!("couldn't get key provisioning role: {:?}", error))?; - let key_store = Arc::new(match key_provisioning_role { + let group_keys = Arc::new(match key_provisioning_role { KeyProvisioningRole::Unspecified => anyhow::bail!("unspecified key provisioning role"), - KeyProvisioningRole::Leader => instance_key_store.generate_group_keys(), + KeyProvisioningRole::Leader => { + // TODO(#4442): Sign group public keys in the enclave evidence. + let (group_keys, _) = instance_keys.generate_group_keys(); + group_keys + } KeyProvisioningRole::Dependant => { - let group_keys = launcher_client + let get_group_keys_response = launcher_client .get_group_keys() .await .map_err(|error| anyhow!("couldn't get group keys: {:?}", error))?; - instance_key_store - .provide_group_keys(group_keys) + instance_keys + .provide_group_keys(get_group_keys_response) .context("couldn't provide group keys")? } }); @@ -127,14 +129,15 @@ async fn main() -> anyhow::Result<()> { tokio::try_join!( oak_containers_orchestrator::ipc_server::create( &args.ipc_socket_path, - key_store.clone(), + instance_keys, + group_keys.clone(), application_config, launcher_client, cancellation_token.clone(), ), oak_containers_orchestrator::key_provisioning::create( &args.orchestrator_addr, - key_store, + group_keys, cancellation_token.clone(), ), oak_containers_orchestrator::container_runtime::run( diff --git a/oak_containers_sdk/src/crypto.rs b/oak_containers_sdk/src/crypto.rs index 55aea7b7149..11b7c7aa12f 100644 --- a/oak_containers_sdk/src/crypto.rs +++ b/oak_containers_sdk/src/crypto.rs @@ -16,7 +16,7 @@ use anyhow::Context; use async_trait::async_trait; use oak_crypto::{ - encryptor::AsyncEncryptionKeyHandle, hpke::RecipientContext, + encryption_key::AsyncEncryptionKeyHandle, hpke::RecipientContext, proto::oak::crypto::v1::SessionKeys, }; use tonic::transport::{Endpoint, Uri}; diff --git a/oak_crypto/Cargo.toml b/oak_crypto/Cargo.toml index d1e32d6281b..24d3b9d1c29 100644 --- a/oak_crypto/Cargo.toml +++ b/oak_crypto/Cargo.toml @@ -27,7 +27,7 @@ rand_core = { version = "*", default-features = false, features = [ "getrandom" ] } sha2 = { version = "*", default-features = false } -oak_dice = { workspace = true } +zeroize = "*" [build-dependencies] micro_rpc_build = { workspace = true } diff --git a/oak_crypto/src/encryption_key.rs b/oak_crypto/src/encryption_key.rs new file mode 100644 index 00000000000..ec1f0c8ed31 --- /dev/null +++ b/oak_crypto/src/encryption_key.rs @@ -0,0 +1,113 @@ +// +// Copyright 2024 The Project Oak Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +use alloc::{boxed::Box, vec::Vec}; + +use anyhow::Context; +use async_trait::async_trait; +use zeroize::{Zeroize, Zeroizing}; + +use crate::{ + encryptor::ClientEncryptor, + hpke::{ + generate_kem_key_pair, setup_base_recipient, Deserializable, PrivateKey, RecipientContext, + Serializable, OAK_HPKE_INFO, + }, + proto::oak::crypto::v1::EncryptedRequest, + EMPTY_ASSOCIATED_DATA, +}; + +/// Generates a random encryption key pair and returns an instance of the `EncryptionKey` and a +/// NIST P-256 SEC1 encoded point public key. +/// +pub fn generate_encryption_key_pair() -> (EncryptionKey, Vec) { + let (private_key, public_key) = generate_kem_key_pair(); + ( + EncryptionKey::new(private_key), + public_key.to_bytes().to_vec(), + ) +} + +pub struct EncryptionKey { + private_key: PrivateKey, +} + +impl EncryptionKey { + pub fn new(private_key: PrivateKey) -> Self { + Self { private_key } + } + + pub fn serialize(self) -> Vec { + self.private_key.to_bytes().to_vec() + } + + pub fn deserialize(serialized_private_key: &mut [u8]) -> anyhow::Result { + let private_key = PrivateKey::from_bytes(serialized_private_key) + .map_err(|error| anyhow::anyhow!("couldn't deserialize private key: {}", error))?; + serialized_private_key.zeroize(); + Ok(Self { private_key }) + } + + /// Returns the private key encrypted with the `peer_public_key`. + pub fn encrypted_private_key( + &self, + peer_public_key: &[u8], + ) -> anyhow::Result { + let mut client_encryptor = + ClientEncryptor::create(peer_public_key).context("couldn't create client encryptor")?; + client_encryptor.encrypt( + &Zeroizing::new(self.private_key.to_bytes()), + EMPTY_ASSOCIATED_DATA, + ) + } +} + +/// Exposes the ability to derive a session key from the provided encapsulated private key, +/// using a private key that has been endorsed in the Attestation Evidence. +pub trait EncryptionKeyHandle { + fn generate_recipient_context( + &self, + encapsulated_public_key: &[u8], + ) -> anyhow::Result; +} + +impl EncryptionKeyHandle for EncryptionKey { + fn generate_recipient_context( + &self, + encapsulated_public_key: &[u8], + ) -> anyhow::Result { + setup_base_recipient(encapsulated_public_key, &self.private_key, OAK_HPKE_INFO) + .context("couldn't generate recipient crypto context") + } +} + +#[async_trait] +pub trait AsyncEncryptionKeyHandle { + async fn generate_recipient_context( + &self, + encapsulated_public_key: &[u8], + ) -> anyhow::Result; +} + +#[async_trait] +impl AsyncEncryptionKeyHandle for EncryptionKey { + async fn generate_recipient_context( + &self, + encapsulated_public_key: &[u8], + ) -> anyhow::Result { + (self as &dyn EncryptionKeyHandle).generate_recipient_context(encapsulated_public_key) + } +} diff --git a/oak_crypto/src/encryptor.rs b/oak_crypto/src/encryptor.rs index 96713118855..a3bfd6549e1 100644 --- a/oak_crypto/src/encryptor.rs +++ b/oak_crypto/src/encryptor.rs @@ -18,131 +18,19 @@ //! //! -use alloc::{boxed::Box, vec::Vec}; +use alloc::vec::Vec; use anyhow::Context; -use async_trait::async_trait; -use hpke::Deserializable; use crate::{ + encryption_key::{AsyncEncryptionKeyHandle, EncryptionKeyHandle}, hpke::{ - deserialize_nonce, generate_random_nonce, setup_base_recipient, setup_base_sender, KeyPair, - PrivateKey, PublicKey, RecipientContext, SenderContext, + deserialize_nonce, generate_random_nonce, setup_base_sender, RecipientContext, + SenderContext, OAK_HPKE_INFO, }, proto::oak::crypto::v1::{AeadEncryptedMessage, EncryptedRequest, EncryptedResponse}, }; -/// Info string used by Hybrid Public Key Encryption; -pub(crate) const OAK_HPKE_INFO: &[u8] = b"Oak Hybrid Public Key Encryption v1"; - -pub struct EncryptionKeyProvider { - key_pair: KeyPair, -} - -impl Default for EncryptionKeyProvider { - fn default() -> Self { - Self::generate() - } -} - -impl TryFrom<&oak_dice::evidence::RestrictedKernelDiceData> for EncryptionKeyProvider { - type Error = anyhow::Error; - fn try_from( - dice_data: &oak_dice::evidence::RestrictedKernelDiceData, - ) -> Result { - let claims = dice_data - .evidence - .application_keys - .claims() - .map_err(|err| { - anyhow::anyhow!("couldn't parse encryption public key certificate: {err}") - })?; - let private_key = PrivateKey::from_bytes( - &dice_data.application_private_keys.encryption_private_key - [..oak_dice::evidence::X25519_PRIVATE_KEY_SIZE], - ) - .map_err(|error| anyhow::anyhow!("couldn't deserialize private key: {}", error))?; - let public_key = { - let cose_key = - oak_dice::cert::get_public_key_from_claims_set(&claims).map_err(|err| { - anyhow::anyhow!("couldn't get public key from certificate: {err}") - })?; - oak_dice::cert::cose_key_to_hpke_public_key(&cose_key) - .map_err(|err| anyhow::anyhow!("couldn't extract public key: {err}"))? - }; - let encryption_key_provider = EncryptionKeyProvider::new( - private_key, - PublicKey::from_bytes(&public_key) - .map_err(|err| anyhow::anyhow!("couldn't decode public key: {err}"))?, - ); - Ok(encryption_key_provider) - } -} - -// TODO(#4513): Merge `EncryptionKeyProvider` and `hpke::KeyPair` into `EncryptionKey`. -impl EncryptionKeyProvider { - /// Creates a crypto provider with a newly generated key pair. - pub fn generate() -> Self { - Self { - key_pair: KeyPair::generate(), - } - } - - pub fn new(private_key: PrivateKey, public_key: PublicKey) -> Self { - Self { - key_pair: KeyPair::new(private_key, public_key), - } - } - - pub fn get_private_key(&self) -> Vec { - // TODO(#4513): Implement Rust protections for the private key. - self.key_pair.get_private_key() - } - - /// Returns a NIST P-256 SEC1 encoded point public key. - /// - pub fn get_serialized_public_key(&self) -> Vec { - self.key_pair.get_serialized_public_key() - } -} - -/// Exposes the ability to derive a session key from the provided encapsulated private key, -/// using a private key that has been endorsed in the Attestation Evidence. -pub trait EncryptionKeyHandle { - fn generate_recipient_context( - &self, - encapsulated_public_key: &[u8], - ) -> anyhow::Result; -} - -impl EncryptionKeyHandle for EncryptionKeyProvider { - fn generate_recipient_context( - &self, - encapsulated_public_key: &[u8], - ) -> anyhow::Result { - setup_base_recipient(encapsulated_public_key, &self.key_pair, OAK_HPKE_INFO) - .context("couldn't generate recipient crypto context") - } -} - -#[async_trait] -pub trait AsyncEncryptionKeyHandle { - async fn generate_recipient_context( - &self, - encapsulated_public_key: &[u8], - ) -> anyhow::Result; -} - -#[async_trait] -impl AsyncEncryptionKeyHandle for EncryptionKeyProvider { - async fn generate_recipient_context( - &self, - encapsulated_public_key: &[u8], - ) -> anyhow::Result { - (self as &dyn EncryptionKeyHandle).generate_recipient_context(encapsulated_public_key) - } -} - /// Encryptor object for encrypting client requests that will be sent to the server and decrypting /// server responses that are received by the client. Each Encryptor object corresponds to a single /// crypto session between the client and the server. diff --git a/oak_crypto/src/hpke/mod.rs b/oak_crypto/src/hpke/mod.rs index 7bbcc1033a6..9051466b212 100644 --- a/oak_crypto/src/hpke/mod.rs +++ b/oak_crypto/src/hpke/mod.rs @@ -32,46 +32,16 @@ use crate::{ type Aead = AesGcm256; type Kdf = HkdfSha256; -type Kem = X25519HkdfSha256; +pub type Kem = X25519HkdfSha256; pub type PrivateKey = ::PrivateKey; pub type PublicKey = ::PublicKey; pub(crate) type EncappedKey = ::EncappedKey; -pub fn gen_kem_keypair() -> (PrivateKey, PublicKey) { - Kem::gen_keypair(&mut OsRng) -} - -pub struct KeyPair { - pub(crate) private_key: PrivateKey, - pub(crate) public_key: PublicKey, -} - -impl KeyPair { - /// Randomly generates a key pair. - pub fn generate() -> Self { - let (private_key, public_key) = gen_kem_keypair(); - Self { - private_key, - public_key, - } - } +/// Info string used by Hybrid Public Key Encryption; +pub(crate) const OAK_HPKE_INFO: &[u8] = b"Oak Hybrid Public Key Encryption v1"; - pub fn new(private_key: PrivateKey, public_key: PublicKey) -> Self { - Self { - private_key, - public_key, - } - } - - pub fn get_private_key(&self) -> Vec { - self.private_key.to_bytes().to_vec() - } - - /// Returns a NIST P-256 SEC1 encoded point public key. - /// - pub fn get_serialized_public_key(&self) -> Vec { - self.public_key.to_bytes().to_vec() - } +pub(crate) fn generate_kem_key_pair() -> (PrivateKey, PublicKey) { + Kem::gen_keypair(&mut OsRng) } /// Sets up an HPKE sender by generating an ephemeral keypair (and serializing the corresponding @@ -122,7 +92,7 @@ pub(crate) fn setup_base_sender( /// pub(crate) fn setup_base_recipient( serialized_encapsulated_public_key: &[u8], - recipient_key_pair: &KeyPair, + recipient_private_key: &PrivateKey, info: &[u8], ) -> anyhow::Result { let encapsulated_public_key = EncappedKey::from_bytes(serialized_encapsulated_public_key) @@ -135,7 +105,7 @@ pub(crate) fn setup_base_recipient( let recipient_context = hpke::setup_receiver::( &OpModeR::Base, - &recipient_key_pair.private_key, + recipient_private_key, &encapsulated_public_key, info, ) diff --git a/oak_crypto/src/lib.rs b/oak_crypto/src/lib.rs index 024272152c3..c2be48307ad 100644 --- a/oak_crypto/src/lib.rs +++ b/oak_crypto/src/lib.rs @@ -32,9 +32,12 @@ pub mod proto { } } +pub mod encryption_key; pub mod encryptor; pub mod hpke; pub mod signer; #[cfg(test)] mod tests; pub mod verifier; + +pub const EMPTY_ASSOCIATED_DATA: &[u8] = b""; diff --git a/oak_crypto/src/tests.rs b/oak_crypto/src/tests.rs index 181f2ff334f..828e2db0cf0 100644 --- a/oak_crypto/src/tests.rs +++ b/oak_crypto/src/tests.rs @@ -14,13 +14,13 @@ // limitations under the License. // -use alloc::sync::Arc; - use crate::{ - encryptor::{ClientEncryptor, EncryptionKeyProvider, ServerEncryptor}, + encryption_key::generate_encryption_key_pair, + encryptor::{ClientEncryptor, ServerEncryptor}, hpke::{ aead::{AEAD_ALGORITHM_KEY_SIZE_BYTES, AEAD_NONCE_SIZE_BYTES}, - generate_random_nonce, setup_base_recipient, setup_base_sender, KeyPair, + generate_kem_key_pair, generate_random_nonce, setup_base_recipient, setup_base_sender, + Serializable, }, }; @@ -64,15 +64,13 @@ fn test_aead() { #[test] fn test_hpke() { - let recipient_key_pair = KeyPair::generate(); - let (serialized_encapsulated_public_key, sender_context) = setup_base_sender( - &recipient_key_pair.get_serialized_public_key(), - TEST_HPKE_INFO, - ) - .expect("couldn't setup base sender"); + let (recipient_private_key, recipient_public_key) = generate_kem_key_pair(); + let (serialized_encapsulated_public_key, sender_context) = + setup_base_sender(&recipient_public_key.to_bytes(), TEST_HPKE_INFO) + .expect("couldn't setup base sender"); let recipient_context = setup_base_recipient( &serialized_encapsulated_public_key, - &recipient_key_pair, + &recipient_private_key, TEST_HPKE_INFO, ) .expect("couldn't setup base recipient"); @@ -119,11 +117,10 @@ fn test_hpke() { #[test] fn test_encryptor() { - let encryption_key = Arc::new(EncryptionKeyProvider::generate()); - let serialized_server_public_key = encryption_key.get_serialized_public_key(); + let (encryption_key, encryption_public_key) = generate_encryption_key_pair(); - let mut client_encryptor = ClientEncryptor::create(&serialized_server_public_key) - .expect("couldn't create client encryptor"); + let mut client_encryptor = + ClientEncryptor::create(&encryption_public_key).expect("couldn't create client encryptor"); let encrypted_request = client_encryptor .encrypt(TEST_REQUEST_MESSAGE, TEST_REQUEST_ASSOCIATED_DATA) @@ -140,7 +137,7 @@ fn test_encryptor() { // Initialize server encryptor. let (server_encryptor, decrypted_request, request_associated_data) = - ServerEncryptor::decrypt(&encrypted_request, encryption_key.as_ref()) + ServerEncryptor::decrypt(&encrypted_request, &encryption_key) .expect("server couldn't decrypt request"); assert_eq!(TEST_REQUEST_MESSAGE, decrypted_request); assert_eq!(TEST_REQUEST_ASSOCIATED_DATA, request_associated_data); @@ -166,11 +163,10 @@ fn test_encryptor() { #[tokio::test] async fn test_async_encryptor() { - let encryption_key = Arc::new(EncryptionKeyProvider::generate()); - let serialized_server_public_key = encryption_key.get_serialized_public_key(); + let (encryption_key, encryption_public_key) = generate_encryption_key_pair(); - let mut client_encryptor = ClientEncryptor::create(&serialized_server_public_key) - .expect("couldn't create client encryptor"); + let mut client_encryptor = + ClientEncryptor::create(&encryption_public_key).expect("couldn't create client encryptor"); let encrypted_request = client_encryptor .encrypt(TEST_REQUEST_MESSAGE, TEST_REQUEST_ASSOCIATED_DATA) @@ -187,7 +183,7 @@ async fn test_async_encryptor() { // Initialize server encryptor. let (server_encryptor, decrypted_request, request_associated_data) = - ServerEncryptor::decrypt_async(&encrypted_request, encryption_key.as_ref()) + ServerEncryptor::decrypt_async(&encrypted_request, &encryption_key) .await .expect("server couldn't decrypt request"); assert_eq!(TEST_REQUEST_MESSAGE, decrypted_request); diff --git a/oak_functions_containers_app/src/lib.rs b/oak_functions_containers_app/src/lib.rs index 447abe33655..929d701e50a 100644 --- a/oak_functions_containers_app/src/lib.rs +++ b/oak_functions_containers_app/src/lib.rs @@ -23,7 +23,7 @@ use std::{ use anyhow::Context; use oak_attestation::handler::AsyncEncryptionHandler; -use oak_crypto::encryptor::AsyncEncryptionKeyHandle; +use oak_crypto::encryption_key::AsyncEncryptionKeyHandle; use oak_functions_service::{ instance::OakFunctionsInstance, proto::oak::functions::{ diff --git a/oak_functions_containers_app/tests/integration_test.rs b/oak_functions_containers_app/tests/integration_test.rs index 54a17a5daa3..dd34aed30e9 100644 --- a/oak_functions_containers_app/tests/integration_test.rs +++ b/oak_functions_containers_app/tests/integration_test.rs @@ -29,7 +29,7 @@ use std::{ time::Duration, }; -use oak_crypto::encryptor::EncryptionKeyProvider; +use oak_crypto::encryption_key::generate_encryption_key_pair; use oak_functions_containers_app::serve; use oak_functions_service::proto::oak::functions::InitializeRequest; use opentelemetry::metrics::{noop::NoopMeterProvider, MeterProvider}; @@ -47,9 +47,11 @@ async fn test_lookup() { let listener = TcpListener::bind(addr).await.unwrap(); let addr = listener.local_addr().unwrap(); + let (encryption_key, _) = generate_encryption_key_pair(); + let server_handle = tokio::spawn(serve( listener, - Arc::new(EncryptionKeyProvider::generate()), + Arc::new(encryption_key), NoopMeterProvider::new().meter(""), )); diff --git a/oak_functions_enclave_service/src/lib.rs b/oak_functions_enclave_service/src/lib.rs index 74c4436983d..19303323248 100644 --- a/oak_functions_enclave_service/src/lib.rs +++ b/oak_functions_enclave_service/src/lib.rs @@ -22,7 +22,7 @@ use alloc::{format, string::ToString, sync::Arc, vec::Vec}; use oak_attestation::{dice::evidence_to_proto, handler::EncryptionHandler}; use oak_core::sync::OnceCell; -use oak_crypto::encryptor::EncryptionKeyHandle; +use oak_crypto::encryption_key::EncryptionKeyHandle; pub use oak_functions_service::proto; use oak_functions_service::{ instance::OakFunctionsInstance, diff --git a/oak_restricted_kernel_bin/Cargo.lock b/oak_restricted_kernel_bin/Cargo.lock index b371c657b21..6089e04b1a7 100644 --- a/oak_restricted_kernel_bin/Cargo.lock +++ b/oak_restricted_kernel_bin/Cargo.lock @@ -677,11 +677,11 @@ dependencies = [ "hkdf", "hpke", "micro_rpc_build", - "oak_dice", "p256", "prost", "rand_core", "sha2", + "zeroize", ] [[package]] diff --git a/oak_restricted_kernel_dice/src/lib.rs b/oak_restricted_kernel_dice/src/lib.rs index dea7478f7a0..13156eb14ac 100644 --- a/oak_restricted_kernel_dice/src/lib.rs +++ b/oak_restricted_kernel_dice/src/lib.rs @@ -25,7 +25,7 @@ extern crate alloc; use coset::{cbor::Value, cwt::ClaimName, CborSerializable}; use hkdf::Hkdf; -use oak_crypto::hpke::Serializable; +use oak_crypto::encryption_key::generate_encryption_key_pair; use oak_dice::cert::{ENCLAVE_APPLICATION_LAYER_ID, LAYER_2_CODE_MEASUREMENT_ID, SHA2_256_ID}; use sha2::{Digest, Sha256}; @@ -106,13 +106,13 @@ pub fn generate_dice_data( .expect("couldn't generate signing certificate"); let (application_encryption_private_key, application_encryption_public_key) = - oak_crypto::hpke::gen_kem_keypair(); + generate_encryption_key_pair(); let application_encryption_public_key_certificate = oak_dice::cert::generate_kem_certificate( &kernel_signing_key, kernel_cert_issuer, - application_encryption_public_key.to_bytes().as_slice(), + &application_encryption_public_key, additional_claims, ) .expect("couldn't generate encryption public certificate"); @@ -135,9 +135,11 @@ pub fn generate_dice_data( }; let encryption_private_key = { + let serialized_application_encryption_private_key = + application_encryption_private_key.serialize(); let mut slice = [0; oak_dice::evidence::PRIVATE_KEY_SIZE]; - slice[..application_encryption_private_key.to_bytes().len()] - .copy_from_slice(&application_encryption_private_key.to_bytes()); + slice[..serialized_application_encryption_private_key.len()] + .copy_from_slice(&serialized_application_encryption_private_key); slice }; diff --git a/oak_restricted_kernel_sdk/src/instance_attestation.rs b/oak_restricted_kernel_sdk/src/instance_attestation.rs index 54bf959905a..2d4fcbcd1dc 100644 --- a/oak_restricted_kernel_sdk/src/instance_attestation.rs +++ b/oak_restricted_kernel_sdk/src/instance_attestation.rs @@ -18,7 +18,7 @@ use anyhow::Ok; use oak_crypto::{ - encryptor::{EncryptionKeyHandle, EncryptionKeyProvider}, + encryption_key::{EncryptionKey, EncryptionKeyHandle}, hpke::RecipientContext, }; use oak_dice::evidence::{Evidence, RestrictedKernelDiceData, P256_PRIVATE_KEY_SIZE}; @@ -48,8 +48,11 @@ fn get_restricted_kernel_dice_data() -> anyhow::Result impl TryFrom for DiceWrapper { type Error = anyhow::Error; - fn try_from(dice_data: RestrictedKernelDiceData) -> Result { - let encryption_key = EncryptionKeyProvider::try_from(&dice_data)?; + fn try_from(mut dice_data: RestrictedKernelDiceData) -> Result { + let encryption_key = EncryptionKey::deserialize( + &mut dice_data.application_private_keys.encryption_private_key + [..oak_dice::evidence::X25519_PRIVATE_KEY_SIZE], + )?; let signing_key = SigningKey::from_slice( &dice_data.application_private_keys.signing_private_key[..P256_PRIVATE_KEY_SIZE], ) @@ -94,7 +97,7 @@ impl Signer for InstanceSigner { /// private keys. #[derive(Clone)] pub struct InstanceEncryptionKeyHandle { - key: &'static EncryptionKeyProvider, + key: &'static EncryptionKey, } impl InstanceEncryptionKeyHandle { diff --git a/oak_restricted_kernel_sdk/src/lib.rs b/oak_restricted_kernel_sdk/src/lib.rs index 72ecf64f70e..e0da27c7f92 100644 --- a/oak_restricted_kernel_sdk/src/lib.rs +++ b/oak_restricted_kernel_sdk/src/lib.rs @@ -27,8 +27,8 @@ pub mod instance_attestation; #[doc(cfg(feature = "mock_attestation"))] pub mod mock_attestation; pub mod utils; -pub use oak_crypto::encryptor::EncryptionKeyHandle; -use oak_crypto::encryptor::EncryptionKeyProvider; +use oak_crypto::encryption_key::EncryptionKey; +pub use oak_crypto::encryption_key::EncryptionKeyHandle; use oak_dice::evidence::Evidence; /// Marks a function as the entrypoint to an enclave app and sets up an conviences such an /// allocator, logger, panic handler. @@ -80,6 +80,6 @@ pub trait EvidenceProvider { /// Wrapper for DICE evidence and application private keys. pub(crate) struct DiceWrapper { pub evidence: Evidence, - pub encryption_key: EncryptionKeyProvider, + pub encryption_key: EncryptionKey, pub signing_key: p256::ecdsa::SigningKey, } diff --git a/oak_restricted_kernel_sdk/src/mock_attestation.rs b/oak_restricted_kernel_sdk/src/mock_attestation.rs index 3f9379cf9b7..15169a161a9 100644 --- a/oak_restricted_kernel_sdk/src/mock_attestation.rs +++ b/oak_restricted_kernel_sdk/src/mock_attestation.rs @@ -18,7 +18,7 @@ //! TEE may not be available. use oak_crypto::{ - encryptor::{EncryptionKeyHandle, EncryptionKeyProvider}, + encryption_key::{EncryptionKey, EncryptionKeyHandle}, hpke::RecipientContext, }; use oak_dice::evidence::{Evidence, RestrictedKernelDiceData, TeePlatform}; @@ -78,7 +78,7 @@ impl Signer for MockSigner { /// private keys. #[derive(Clone)] pub struct MockEncryptionKeyHandle { - key: &'static EncryptionKeyProvider, + key: &'static EncryptionKey, } impl MockEncryptionKeyHandle {