From 072ddb1d3ba69ab9e8ee04df1a5b17f2b4b35a51 Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Thu, 18 Jan 2024 16:26:56 +0000 Subject: [PATCH 1/5] Rename RecipientContextGenerator into EncryptionKeyHandle --- Cargo.lock | 1 + oak_attestation/src/handler.rs | 24 +++++----- oak_containers_orchestrator/src/crypto.rs | 2 +- oak_containers_sdk/src/crypto.rs | 28 ++---------- oak_containers_sdk/src/lib.rs | 2 +- oak_crypto/src/encryptor.rs | 56 +++++++---------------- oak_crypto/src/tests.rs | 22 ++++----- oak_functions_containers_app/Cargo.toml | 1 + oak_functions_containers_app/src/lib.rs | 14 +++--- oak_functions_service/src/lib.rs | 7 +-- oak_restricted_kernel_sdk/src/dice.rs | 6 +-- 11 files changed, 60 insertions(+), 103 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7f8156af036..23223d12ab8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2203,6 +2203,7 @@ name = "oak_functions_containers_app" version = "0.1.0" dependencies = [ "anyhow", + "async-trait", "clap", "http", "micro_rpc", diff --git a/oak_attestation/src/handler.rs b/oak_attestation/src/handler.rs index 5fc19ed0f8b..3f0fbff497b 100644 --- a/oak_attestation/src/handler.rs +++ b/oak_attestation/src/handler.rs @@ -20,7 +20,7 @@ use core::future::Future; use anyhow::Context; use oak_crypto::{ encryptor::{ - AsyncRecipientContextGenerator, AsyncServerEncryptor, RecipientContextGenerator, + AsyncEncryptionKeyHandle, AsyncServerEncryptor, EncryptionKeyHandle, ServerEncryptor, }, proto::oak::crypto::v1::{EncryptedRequest, EncryptedResponse}, @@ -42,17 +42,17 @@ pub struct PublicKeyInfo { /// based on the provided encryption key. pub struct EncryptionHandler) -> Vec> { // TODO(#3442): Use attester to attest to the public key. - encryption_key_provider: Arc, + encryption_key: Arc, request_handler: H, } impl) -> Vec> EncryptionHandler { pub fn create( - encryption_key_provider: Arc, + encryption_key: Arc, request_handler: H, ) -> Self { Self { - encryption_key_provider, + encryption_key, request_handler, } } @@ -67,7 +67,7 @@ impl) -> Vec> EncryptionHandler { .context("initial request message doesn't contain encapsulated public key")?; let mut server_encryptor = ServerEncryptor::create( serialized_encapsulated_public_key, - self.encryption_key_provider.clone(), + self.encryption_key.clone(), ) .context("couldn't create server encryptor")?; @@ -90,27 +90,27 @@ impl) -> Vec> EncryptionHandler { /// Wraps a closure to an underlying function with request encryption and response decryption logic, /// based on the provided encryption key. -/// [`AsyncEncryptionHandler`] can be used when an [`AsyncRecipientContextGenerator`] is needed. +/// [`AsyncEncryptionHandler`] can be used when an [`AsyncEncryptionKeyHandle`] is needed. pub struct AsyncEncryptionHandler where - G: AsyncRecipientContextGenerator + Send + Sync, + G: AsyncEncryptionKeyHandle + Send + Sync, H: FnOnce(Vec) -> F, F: Future>, { // TODO(#3442): Use attester to attest to the public key. - recipient_context_generator: Arc, + encryption_key_handle: Arc, request_handler: H, } impl AsyncEncryptionHandler where - G: AsyncRecipientContextGenerator + Send + Sync, + G: AsyncEncryptionKeyHandle + Send + Sync, H: FnOnce(Vec) -> F, F: Future>, { - pub fn create(recipient_context_generator: Arc, request_handler: H) -> Self { + pub fn create(encryption_key_handle: Arc, request_handler: H) -> Self { Self { - recipient_context_generator, + encryption_key_handle, request_handler, } } @@ -121,7 +121,7 @@ where ) -> anyhow::Result { // Initialize server encryptor. let mut server_encryptor = - AsyncServerEncryptor::new(self.recipient_context_generator.as_ref()); + AsyncServerEncryptor::new(self.encryption_key_handle.as_ref()); // Decrypt request. let (request, _associated_data) = server_encryptor diff --git a/oak_containers_orchestrator/src/crypto.rs b/oak_containers_orchestrator/src/crypto.rs index daee0003a1e..9d0279acda1 100644 --- a/oak_containers_orchestrator/src/crypto.rs +++ b/oak_containers_orchestrator/src/crypto.rs @@ -17,7 +17,7 @@ use std::sync::Arc; use anyhow::{anyhow, Context}; use hpke::{kem::X25519HkdfSha256, Deserializable, Kem}; -use oak_crypto::encryptor::{EncryptionKeyProvider, RecipientContextGenerator, ServerEncryptor}; +use oak_crypto::encryptor::{EncryptionKeyProvider, EncryptionKeyHandle, ServerEncryptor}; use tonic::{Request, Response}; use crate::proto::oak::{ diff --git a/oak_containers_sdk/src/crypto.rs b/oak_containers_sdk/src/crypto.rs index 8babf08c3d9..fceeb472037 100644 --- a/oak_containers_sdk/src/crypto.rs +++ b/oak_containers_sdk/src/crypto.rs @@ -16,7 +16,7 @@ use anyhow::Context; use async_trait::async_trait; use oak_crypto::{ - encryptor::AsyncRecipientContextGenerator, hpke::RecipientContext, + encryptor::AsyncEncryptionKeyHandle, hpke::RecipientContext, proto::oak::crypto::v1::SessionKeys, }; use tonic::transport::{Endpoint, Uri}; @@ -71,28 +71,6 @@ impl OrchestratorCryptoClient { } } -#[async_trait(?Send)] -pub trait EncryptionKeyHandle { - async fn derive_session_keys( - &self, - encapsulated_public_key: &[u8], - ) -> anyhow::Result; -} - -#[async_trait(?Send)] -impl EncryptionKeyHandle for T -where - T: AsyncRecipientContextGenerator, -{ - async fn derive_session_keys( - &self, - encapsulated_public_key: &[u8], - ) -> anyhow::Result { - self.generate_recipient_context(encapsulated_public_key) - .await - } -} - pub struct InstanceEncryptionKeyHandle { orchestrator_crypto_client: OrchestratorCryptoClient, } @@ -107,8 +85,8 @@ impl InstanceEncryptionKeyHandle { } } -#[async_trait] -impl AsyncRecipientContextGenerator for InstanceEncryptionKeyHandle { +#[async_trait(?Send)] +impl AsyncEncryptionKeyHandle for InstanceEncryptionKeyHandle { async fn generate_recipient_context( &self, encapsulated_public_key: &[u8], diff --git a/oak_containers_sdk/src/lib.rs b/oak_containers_sdk/src/lib.rs index ac176c72b7a..6fdc69374d6 100644 --- a/oak_containers_sdk/src/lib.rs +++ b/oak_containers_sdk/src/lib.rs @@ -42,5 +42,5 @@ static IGNORED_ENDPOINT_URI: &str = "file://[::]:0"; const ORCHESTRATOR_IPC_SOCKET: &str = "/oak_utils/orchestrator_ipc"; // Re-export structs so that they are available at the top level of the SDK. -pub use crypto::{EncryptionKeyHandle, InstanceEncryptionKeyHandle}; +pub use crypto::InstanceEncryptionKeyHandle; pub use orchestrator_client::OrchestratorClient; diff --git a/oak_crypto/src/encryptor.rs b/oak_crypto/src/encryptor.rs index eeccee57fa1..56df0df0c57 100644 --- a/oak_crypto/src/encryptor.rs +++ b/oak_crypto/src/encryptor.rs @@ -106,40 +106,14 @@ impl EncryptionKeyProvider { } } -// This trait just aliases [`RecipientContextGenerator`], while using different naming -// as defined in the Oak SDK design doc. -// TODO(#3841): rename the relevant trait and struct in our crypto crates. -/// Generate [`SessionKeys`] for the provided public key. pub trait EncryptionKeyHandle { - fn generate_session_keys(&self, encapsulated_public_key: &[u8]) -> anyhow::Result; -} - -// Alias this struct in order to conform to the naming outlined in the restricted kernel SDK design -// doc. -// TODO(#3841): rename the relevant struct and remove this alias. -use crate::encryptor::RecipientContext as SessionKeys; - -impl RecipientContextGenerator for T -where - T: EncryptionKeyHandle, -{ - fn generate_recipient_context( - &self, - encapsulated_public_key: &[u8], - ) -> anyhow::Result { - self.generate_session_keys(encapsulated_public_key) - } -} - -pub trait RecipientContextGenerator { - // TODO(#3841): Implement Oak Kernel Crypto API and return corresponding session keys instead. fn generate_recipient_context( &self, encapsulated_public_key: &[u8], ) -> anyhow::Result; } -impl RecipientContextGenerator for EncryptionKeyProvider { +impl EncryptionKeyHandle for EncryptionKeyProvider { fn generate_recipient_context( &self, encapsulated_public_key: &[u8], @@ -149,21 +123,23 @@ impl RecipientContextGenerator for EncryptionKeyProvider { } } -#[async_trait] -pub trait AsyncRecipientContextGenerator { +// #[async_trait] +#[async_trait(?Send)] +pub trait AsyncEncryptionKeyHandle { async fn generate_recipient_context( &self, encapsulated_public_key: &[u8], ) -> anyhow::Result; } -#[async_trait] -impl AsyncRecipientContextGenerator for EncryptionKeyProvider { +// #[async_trait] +#[async_trait(?Send)] +impl AsyncEncryptionKeyHandle for EncryptionKeyProvider { async fn generate_recipient_context( &self, encapsulated_public_key: &[u8], ) -> anyhow::Result { - (self as &dyn RecipientContextGenerator).generate_recipient_context(encapsulated_public_key) + (self as &dyn EncryptionKeyHandle).generate_recipient_context(encapsulated_public_key) } } @@ -258,9 +234,9 @@ pub struct ServerEncryptor { impl ServerEncryptor { pub fn create( serialized_encapsulated_public_key: &[u8], - recipient_context_generator: Arc, + encryption_key_handle: Arc, ) -> anyhow::Result { - let recipient_context = recipient_context_generator + let recipient_context = encryption_key_handle .generate_recipient_context(serialized_encapsulated_public_key) .context("couldn't generate recipient crypto context")?; Ok(Self::new(recipient_context)) @@ -331,19 +307,19 @@ impl ServerEncryptor { // the Restricted Kernel. pub struct AsyncServerEncryptor<'a, G> where - G: AsyncRecipientContextGenerator + Send + Sync, + G: AsyncEncryptionKeyHandle + Send + Sync, { - recipient_context_generator: &'a G, + encryption_key_handle: &'a G, inner: Option, } impl<'a, G> AsyncServerEncryptor<'a, G> where - G: AsyncRecipientContextGenerator + Send + Sync, + G: AsyncEncryptionKeyHandle + Send + Sync, { - pub fn new(recipient_context_generator: &'a G) -> Self { + pub fn new(encryption_key_handle: &'a G) -> Self { Self { - recipient_context_generator, + encryption_key_handle, inner: None, } } @@ -363,7 +339,7 @@ where .as_ref() .context("initial request message doesn't contain encapsulated public key")?; let recipient_context = self - .recipient_context_generator + .encryption_key_handle .generate_recipient_context(serialized_encapsulated_public_key) .await .context("couldn't generate recipient crypto context")?; diff --git a/oak_crypto/src/tests.rs b/oak_crypto/src/tests.rs index 654a6241b81..98bc6392432 100644 --- a/oak_crypto/src/tests.rs +++ b/oak_crypto/src/tests.rs @@ -21,7 +21,7 @@ use async_trait::async_trait; use crate::{ encryptor::{ - AsyncRecipientContextGenerator, AsyncServerEncryptor, ClientEncryptor, + AsyncEncryptionKeyHandle, AsyncServerEncryptor, ClientEncryptor, EncryptionKeyProvider, ServerEncryptor, OAK_HPKE_INFO, }, hpke::{ @@ -125,8 +125,8 @@ fn test_hpke() { #[test] fn test_encryptor() { - let key_provider = Arc::new(EncryptionKeyProvider::generate()); - let serialized_server_public_key = key_provider.get_serialized_public_key(); + let encryption_key = Arc::new(EncryptionKeyProvider::generate()); + let serialized_server_public_key = encryption_key.get_serialized_public_key(); let mut client_encryptor = ClientEncryptor::create(&serialized_server_public_key) .expect("couldn't create client encryptor"); @@ -152,7 +152,7 @@ fn test_encryptor() { .as_ref() .expect("initial request message doesn't contain encapsulated public key"); server_encryptor = Some( - ServerEncryptor::create(serialized_encapsulated_public_key, key_provider.clone()) + ServerEncryptor::create(serialized_encapsulated_public_key, encryption_key.clone()) .expect("couldn't create server encryptor"), ); } @@ -186,17 +186,17 @@ fn test_encryptor() { assert_eq!(TEST_RESPONSE_ASSOCIATED_DATA, response_associated_data); } -struct TestEncryptionKeyProvider { +struct TestEncryptionKey { key_pair: KeyPair, } -impl Default for TestEncryptionKeyProvider { +impl Default for TestEncryptionKey { fn default() -> Self { Self::new() } } -impl TestEncryptionKeyProvider { +impl TestEncryptionKey { pub fn new() -> Self { Self { key_pair: KeyPair::generate(), @@ -209,7 +209,7 @@ impl TestEncryptionKeyProvider { } #[async_trait] -impl AsyncRecipientContextGenerator for TestEncryptionKeyProvider { +impl AsyncEncryptionKeyHandle for TestEncryptionKey { async fn generate_recipient_context( &self, encapsulated_public_key: &[u8], @@ -221,12 +221,12 @@ impl AsyncRecipientContextGenerator for TestEncryptionKeyProvider { #[tokio::test] async fn test_async_encryptor() { - let key_provider = TestEncryptionKeyProvider::new(); - let serialized_server_public_key = key_provider.get_serialized_public_key(); + let encryption_key = TestEncryptionKey::new(); + let serialized_server_public_key = encryption_key.get_serialized_public_key(); let mut client_encryptor = ClientEncryptor::create(&serialized_server_public_key) .expect("couldn't create client encryptor"); - let mut server_encryptor = AsyncServerEncryptor::new(&key_provider); + let mut server_encryptor = AsyncServerEncryptor::new(&encryption_key); let encrypted_request = client_encryptor .encrypt(TEST_REQUEST_MESSAGE, TEST_REQUEST_ASSOCIATED_DATA) diff --git a/oak_functions_containers_app/Cargo.toml b/oak_functions_containers_app/Cargo.toml index d79e6d9ab99..9ec46af9805 100644 --- a/oak_functions_containers_app/Cargo.toml +++ b/oak_functions_containers_app/Cargo.toml @@ -9,6 +9,7 @@ oak_grpc_utils = { workspace = true } [dependencies] anyhow = "*" +async-trait = { version = "*", default-features = false } clap = { version = "*", features = ["derive"] } http = "*" oak_attestation = { workspace = true } diff --git a/oak_functions_containers_app/src/lib.rs b/oak_functions_containers_app/src/lib.rs index 5cb4bf3f280..363ea37b29b 100644 --- a/oak_functions_containers_app/src/lib.rs +++ b/oak_functions_containers_app/src/lib.rs @@ -22,8 +22,9 @@ use std::{ }; use anyhow::Context; +use async_trait::async_trait; use oak_attestation::handler::AsyncEncryptionHandler; -use oak_crypto::encryptor::AsyncRecipientContextGenerator; +use oak_crypto::encryptor::AsyncEncryptionKeyHandle; use oak_functions_service::{ instance::OakFunctionsInstance, proto::oak::functions::{ @@ -61,13 +62,13 @@ pub mod proto { } // Instance of the OakFunctions service for Oak Containers. -pub struct OakFunctionsContainersService { +pub struct OakFunctionsContainersService { instance: OnceLock, encryption_key_handle: Arc, observer: Option>, } -impl OakFunctionsContainersService { +impl OakFunctionsContainersService { pub fn new( encryption_key_handle: Arc, observer: Option>, @@ -109,8 +110,9 @@ fn map_status(status: micro_rpc::Status) -> tonic::Status { tonic::Status::new(code, status.message) } -#[tonic::async_trait] -impl OakFunctions +#[async_trait] +// #[tonic::async_trait] +impl OakFunctions for OakFunctionsContainersService { async fn initialize( @@ -375,7 +377,7 @@ static GRPC_SUCCESS: http::header::HeaderValue = http::header::HeaderValue::from const GRPC_STATUS_HEADER_CODE: &str = "grpc-status"; // Starts up and serves an OakFunctionsContainersService instance from the provided TCP listener. -pub async fn serve( +pub async fn serve( listener: TcpListener, encryption_key_handle: Arc, meter: Meter, diff --git a/oak_functions_service/src/lib.rs b/oak_functions_service/src/lib.rs index 613f9f10a5b..3d28a049bb6 100644 --- a/oak_functions_service/src/lib.rs +++ b/oak_functions_service/src/lib.rs @@ -47,6 +47,7 @@ use alloc::{format, string::ToString, sync::Arc, vec::Vec}; use instance::OakFunctionsInstance; use oak_attestation::handler::EncryptionHandler; use oak_core::sync::OnceCell; +use oak_crypto::encryptor::EncryptionKeyHandle; use prost::Message; use proto::oak::functions::{ AbortNextLookupDataResponse, Empty, ExtendNextLookupDataRequest, ExtendNextLookupDataResponse, @@ -61,7 +62,7 @@ pub trait Observer { } pub struct OakFunctionsService< - EKH: oak_restricted_kernel_sdk::EncryptionKeyHandle + 'static, + EKH: EncryptionKeyHandle + 'static, EP: oak_restricted_kernel_sdk::EvidenceProvider, > { evidence_provider: EP, @@ -71,7 +72,7 @@ pub struct OakFunctionsService< } impl< - EKH: oak_restricted_kernel_sdk::EncryptionKeyHandle + 'static, + EKH: EncryptionKeyHandle + 'static, EP: oak_restricted_kernel_sdk::EvidenceProvider, > OakFunctionsService { @@ -119,7 +120,7 @@ impl< } impl< - EKH: oak_restricted_kernel_sdk::EncryptionKeyHandle + 'static, + EKH: EncryptionKeyHandle + 'static, EP: oak_restricted_kernel_sdk::EvidenceProvider, > OakFunctions for OakFunctionsService { diff --git a/oak_restricted_kernel_sdk/src/dice.rs b/oak_restricted_kernel_sdk/src/dice.rs index fdc7a8add25..ac8f1da5964 100644 --- a/oak_restricted_kernel_sdk/src/dice.rs +++ b/oak_restricted_kernel_sdk/src/dice.rs @@ -15,10 +15,8 @@ // use anyhow::Ok; -pub use oak_crypto::encryptor::EncryptionKeyHandle; use oak_crypto::{ - encryptor::{EncryptionKeyProvider, RecipientContextGenerator}, - hpke::RecipientContext as SessionKeys, + encryptor::{EncryptionKeyHandle, EncryptionKeyProvider}, hpke::RecipientContext, }; use oak_dice::evidence::{Evidence, RestrictedKernelDiceData, P256_PRIVATE_KEY_SIZE}; use oak_restricted_kernel_interface::{syscall::read, DICE_DATA_FD}; @@ -178,7 +176,7 @@ impl InstanceEncryptionKeyHandle { } impl EncryptionKeyHandle for InstanceEncryptionKeyHandle { - fn generate_session_keys(&self, encapsulated_public_key: &[u8]) -> anyhow::Result { + fn generate_recipient_context(&self, encapsulated_public_key: &[u8]) -> anyhow::Result { self.key.generate_recipient_context(encapsulated_public_key) } } From 5c7c76c2b3e1a6fa6423842846d6aad208956e86 Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Thu, 18 Jan 2024 16:37:13 +0000 Subject: [PATCH 2/5] Update --- Cargo.lock | 1 - oak_containers_sdk/src/crypto.rs | 2 +- oak_crypto/src/encryptor.rs | 8 ++++---- oak_functions_containers_app/Cargo.toml | 1 - oak_functions_containers_app/src/lib.rs | 4 +--- 5 files changed, 6 insertions(+), 10 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 23223d12ab8..7f8156af036 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2203,7 +2203,6 @@ name = "oak_functions_containers_app" version = "0.1.0" dependencies = [ "anyhow", - "async-trait", "clap", "http", "micro_rpc", diff --git a/oak_containers_sdk/src/crypto.rs b/oak_containers_sdk/src/crypto.rs index fceeb472037..ab425771fae 100644 --- a/oak_containers_sdk/src/crypto.rs +++ b/oak_containers_sdk/src/crypto.rs @@ -85,7 +85,7 @@ impl InstanceEncryptionKeyHandle { } } -#[async_trait(?Send)] +#[async_trait] impl AsyncEncryptionKeyHandle for InstanceEncryptionKeyHandle { async fn generate_recipient_context( &self, diff --git a/oak_crypto/src/encryptor.rs b/oak_crypto/src/encryptor.rs index 56df0df0c57..2d86450f05c 100644 --- a/oak_crypto/src/encryptor.rs +++ b/oak_crypto/src/encryptor.rs @@ -123,8 +123,8 @@ impl EncryptionKeyHandle for EncryptionKeyProvider { } } -// #[async_trait] -#[async_trait(?Send)] +#[async_trait] +// #[async_trait(?Send)] pub trait AsyncEncryptionKeyHandle { async fn generate_recipient_context( &self, @@ -132,8 +132,8 @@ pub trait AsyncEncryptionKeyHandle { ) -> anyhow::Result; } -// #[async_trait] -#[async_trait(?Send)] +#[async_trait] +// #[async_trait(?Send)] impl AsyncEncryptionKeyHandle for EncryptionKeyProvider { async fn generate_recipient_context( &self, diff --git a/oak_functions_containers_app/Cargo.toml b/oak_functions_containers_app/Cargo.toml index 9ec46af9805..d79e6d9ab99 100644 --- a/oak_functions_containers_app/Cargo.toml +++ b/oak_functions_containers_app/Cargo.toml @@ -9,7 +9,6 @@ oak_grpc_utils = { workspace = true } [dependencies] anyhow = "*" -async-trait = { version = "*", default-features = false } clap = { version = "*", features = ["derive"] } http = "*" oak_attestation = { workspace = true } diff --git a/oak_functions_containers_app/src/lib.rs b/oak_functions_containers_app/src/lib.rs index 363ea37b29b..d3dca29d876 100644 --- a/oak_functions_containers_app/src/lib.rs +++ b/oak_functions_containers_app/src/lib.rs @@ -22,7 +22,6 @@ use std::{ }; use anyhow::Context; -use async_trait::async_trait; use oak_attestation::handler::AsyncEncryptionHandler; use oak_crypto::encryptor::AsyncEncryptionKeyHandle; use oak_functions_service::{ @@ -110,8 +109,7 @@ fn map_status(status: micro_rpc::Status) -> tonic::Status { tonic::Status::new(code, status.message) } -#[async_trait] -// #[tonic::async_trait] +#[tonic::async_trait] impl OakFunctions for OakFunctionsContainersService { From 9f01ee7c797fb2eff5ad2cdc224e4dc408dd64fd Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Thu, 18 Jan 2024 16:43:15 +0000 Subject: [PATCH 3/5] Update --- oak_attestation/src/handler.rs | 11 +++-------- oak_containers_orchestrator/src/crypto.rs | 2 +- oak_crypto/src/tests.rs | 4 ++-- oak_functions_service/src/lib.rs | 12 ++++-------- oak_restricted_kernel_sdk/src/dice.rs | 13 ++++++++++--- 5 files changed, 20 insertions(+), 22 deletions(-) diff --git a/oak_attestation/src/handler.rs b/oak_attestation/src/handler.rs index 3f0fbff497b..99e9745516a 100644 --- a/oak_attestation/src/handler.rs +++ b/oak_attestation/src/handler.rs @@ -20,8 +20,7 @@ use core::future::Future; use anyhow::Context; use oak_crypto::{ encryptor::{ - AsyncEncryptionKeyHandle, AsyncServerEncryptor, EncryptionKeyHandle, - ServerEncryptor, + AsyncEncryptionKeyHandle, AsyncServerEncryptor, EncryptionKeyHandle, ServerEncryptor, }, proto::oak::crypto::v1::{EncryptedRequest, EncryptedResponse}, }; @@ -47,10 +46,7 @@ pub struct EncryptionHandler) -> Vec> { } impl) -> Vec> EncryptionHandler { - pub fn create( - encryption_key: Arc, - request_handler: H, - ) -> Self { + pub fn create(encryption_key: Arc, request_handler: H) -> Self { Self { encryption_key, request_handler, @@ -120,8 +116,7 @@ where encrypted_request: &EncryptedRequest, ) -> anyhow::Result { // Initialize server encryptor. - let mut server_encryptor = - AsyncServerEncryptor::new(self.encryption_key_handle.as_ref()); + let mut server_encryptor = AsyncServerEncryptor::new(self.encryption_key_handle.as_ref()); // Decrypt request. let (request, _associated_data) = server_encryptor diff --git a/oak_containers_orchestrator/src/crypto.rs b/oak_containers_orchestrator/src/crypto.rs index 9d0279acda1..05b5ae5d228 100644 --- a/oak_containers_orchestrator/src/crypto.rs +++ b/oak_containers_orchestrator/src/crypto.rs @@ -17,7 +17,7 @@ use std::sync::Arc; use anyhow::{anyhow, Context}; use hpke::{kem::X25519HkdfSha256, Deserializable, Kem}; -use oak_crypto::encryptor::{EncryptionKeyProvider, EncryptionKeyHandle, ServerEncryptor}; +use oak_crypto::encryptor::{EncryptionKeyHandle, EncryptionKeyProvider, ServerEncryptor}; use tonic::{Request, Response}; use crate::proto::oak::{ diff --git a/oak_crypto/src/tests.rs b/oak_crypto/src/tests.rs index 98bc6392432..d32a734d923 100644 --- a/oak_crypto/src/tests.rs +++ b/oak_crypto/src/tests.rs @@ -21,8 +21,8 @@ use async_trait::async_trait; use crate::{ encryptor::{ - AsyncEncryptionKeyHandle, AsyncServerEncryptor, ClientEncryptor, - EncryptionKeyProvider, ServerEncryptor, OAK_HPKE_INFO, + AsyncEncryptionKeyHandle, AsyncServerEncryptor, ClientEncryptor, EncryptionKeyProvider, + ServerEncryptor, OAK_HPKE_INFO, }, hpke::{ aead::{AEAD_ALGORITHM_KEY_SIZE_BYTES, AEAD_NONCE_SIZE_BYTES}, diff --git a/oak_functions_service/src/lib.rs b/oak_functions_service/src/lib.rs index 3d28a049bb6..0b4ffb6b923 100644 --- a/oak_functions_service/src/lib.rs +++ b/oak_functions_service/src/lib.rs @@ -71,10 +71,8 @@ pub struct OakFunctionsService< observer: Option>, } -impl< - EKH: EncryptionKeyHandle + 'static, - EP: oak_restricted_kernel_sdk::EvidenceProvider, - > OakFunctionsService +impl + OakFunctionsService { pub fn new( evidence_provider: EP, @@ -119,10 +117,8 @@ impl< } } -impl< - EKH: EncryptionKeyHandle + 'static, - EP: oak_restricted_kernel_sdk::EvidenceProvider, - > OakFunctions for OakFunctionsService +impl + OakFunctions for OakFunctionsService { fn initialize( &self, diff --git a/oak_restricted_kernel_sdk/src/dice.rs b/oak_restricted_kernel_sdk/src/dice.rs index ac8f1da5964..4db1f1be5d0 100644 --- a/oak_restricted_kernel_sdk/src/dice.rs +++ b/oak_restricted_kernel_sdk/src/dice.rs @@ -16,7 +16,8 @@ use anyhow::Ok; use oak_crypto::{ - encryptor::{EncryptionKeyHandle, EncryptionKeyProvider}, hpke::RecipientContext, + encryptor::{EncryptionKeyHandle, EncryptionKeyProvider}, + hpke::RecipientContext, }; use oak_dice::evidence::{Evidence, RestrictedKernelDiceData, P256_PRIVATE_KEY_SIZE}; use oak_restricted_kernel_interface::{syscall::read, DICE_DATA_FD}; @@ -176,7 +177,10 @@ impl InstanceEncryptionKeyHandle { } impl EncryptionKeyHandle for InstanceEncryptionKeyHandle { - fn generate_recipient_context(&self, encapsulated_public_key: &[u8]) -> anyhow::Result { + fn generate_recipient_context( + &self, + encapsulated_public_key: &[u8], + ) -> anyhow::Result { self.key.generate_recipient_context(encapsulated_public_key) } } @@ -205,7 +209,10 @@ impl MockEncryptionKeyHandle { #[cfg(feature = "mock_attestation")] impl EncryptionKeyHandle for MockEncryptionKeyHandle { - fn generate_session_keys(&self, encapsulated_public_key: &[u8]) -> anyhow::Result { + fn generate_recipient_context( + &self, + encapsulated_public_key: &[u8], + ) -> anyhow::Result { self.key.generate_recipient_context(encapsulated_public_key) } } From 0add4f46846bae0221344a09c4ff202ca2e9f269 Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Thu, 18 Jan 2024 16:46:04 +0000 Subject: [PATCH 4/5] Update --- oak_attestation/src/handler.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/oak_attestation/src/handler.rs b/oak_attestation/src/handler.rs index 99e9745516a..74cb531a7da 100644 --- a/oak_attestation/src/handler.rs +++ b/oak_attestation/src/handler.rs @@ -41,14 +41,14 @@ pub struct PublicKeyInfo { /// based on the provided encryption key. pub struct EncryptionHandler) -> Vec> { // TODO(#3442): Use attester to attest to the public key. - encryption_key: Arc, + encryption_key_handle: Arc, request_handler: H, } impl) -> Vec> EncryptionHandler { - pub fn create(encryption_key: Arc, request_handler: H) -> Self { + pub fn create(encryption_key_handle: Arc, request_handler: H) -> Self { Self { - encryption_key, + encryption_key_handle, request_handler, } } @@ -63,7 +63,7 @@ impl) -> Vec> EncryptionHandler { .context("initial request message doesn't contain encapsulated public key")?; let mut server_encryptor = ServerEncryptor::create( serialized_encapsulated_public_key, - self.encryption_key.clone(), + self.encryption_key_handle.clone(), ) .context("couldn't create server encryptor")?; From ce758d342bf2c0f494df783b5153851820d7825e Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Thu, 18 Jan 2024 16:46:55 +0000 Subject: [PATCH 5/5] Update --- oak_crypto/src/encryptor.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/oak_crypto/src/encryptor.rs b/oak_crypto/src/encryptor.rs index 2d86450f05c..ce3dab09626 100644 --- a/oak_crypto/src/encryptor.rs +++ b/oak_crypto/src/encryptor.rs @@ -124,7 +124,6 @@ impl EncryptionKeyHandle for EncryptionKeyProvider { } #[async_trait] -// #[async_trait(?Send)] pub trait AsyncEncryptionKeyHandle { async fn generate_recipient_context( &self, @@ -133,7 +132,6 @@ pub trait AsyncEncryptionKeyHandle { } #[async_trait] -// #[async_trait(?Send)] impl AsyncEncryptionKeyHandle for EncryptionKeyProvider { async fn generate_recipient_context( &self,