attest-data: Make Nonce type a bit more amenable to different lengths. (#348)

For the eventual reality of supporting smaller/bigger/variable-sized nonces.

* attest-data: Make Nonce type a bit more amenable to different lengths.
* verifier/hiffy: don't used mismatched nonce type
* verifier: fix VerifyAttestationError::VerificationFailed error message
* verifier: reexport Measurment enum

Author: luqmana

attest-data/src/lib.rs

@@ -36,11 +36,6 @@ pub mod messages;
 pub enum AttestDataError {
     #[cfg_attr(feature = "std", error("Deserialization failed"))]
     Deserialize,
-    #[cfg_attr(
-        feature = "std",
-        error("Failed to get random Nonce from the platform")
-    )]
-    GetRandom,
     #[cfg_attr(feature = "std", error("Slice is the wrong length"))]
     TryFromSliceError,
     #[cfg_attr(
@@ -52,6 +47,18 @@ pub enum AttestDataError {
     TaggedDigest,
 }
 
+#[cfg_attr(feature = "std", derive(Error))]
+#[derive(Debug, PartialEq)]
+pub enum NonceError {
+    #[cfg_attr(feature = "std", error("unsupported Nonce length ({0})"))]
+    UnsupportedLen(usize),
+    #[cfg_attr(
+        feature = "std",
+        error("Failed to get random Nonce from the platform")
+    )]
+    GetRandom,
+}
+
 /// Array is the type we use as a base for types that are constant sized byte
 /// buffers.
 #[serde_as]
@@ -117,40 +124,105 @@ impl<const N: usize> AsRef<[u8]> for Array<N> {
 const SHA3_256_DIGEST_SIZE: usize =
     <Sha3_256Core as OutputSizeUser>::OutputSize::USIZE;
 
-const NONCE_SIZE: usize = SHA3_256_DIGEST_SIZE;
-
 /// An array of bytes sized appropriately for a sha3-256 digest.
 pub type Sha3_256Digest = Array<SHA3_256_DIGEST_SIZE>;
 
 /// An array of bytes sized appropriately for a sha3-256 digest.
 pub type Ed25519Signature = Array<SIGNATURE_SERIALIZED_LENGTH>;
 
-/// Nonce is a newtype around an appropriately sized byte array.
-pub type Nonce = Array<NONCE_SIZE>;
+pub type Nonce32 = Array<SHA3_256_DIGEST_SIZE>;
+
+/// A Nonce is supplied as part of the attestation challenge to guarantee
+/// freshness. Callers are expected to use a random Nonce with a length that's
+/// appropriate for the specific digest and signing algorithms in use. We may
+/// in the future extend this to accept arbitrarily sized values.
+#[derive(
+    Copy,
+    Clone,
+    Debug,
+    Deserialize,
+    PartialEq,
+    // The current RoT Attest API takes the nonce bytes directly (i.e. a
+    // `Nonce32`/`Array<32>`) rather than this more generic `Nonce` type.
+    // To prevent accidentally accepting this type where it currently shouldn't
+    // be accepted, we omit these for now until hubris#2375 is fixed.
+    // Serialize, SerializedSize,
+)]
+pub enum Nonce {
+    /// A 32-byte Nonce value.
+    N32(Nonce32),
+}
 
 #[cfg(feature = "std")]
 impl fmt::Display for Nonce {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        let mut out: Vec<String> = Vec::new();
+        write!(f, "Nonce({})", hex::encode(self.as_ref()))
+    }
+}
+
+impl Nonce {
+    #[cfg(feature = "std")]
+    pub fn from_platform_rng(len: usize) -> Result<Self, NonceError> {
+        // We currently only support 32-byte Nonce's
+        if len != Nonce32::LENGTH {
+            return Err(NonceError::UnsupportedLen(len));
+        }
+        let mut nonce = Array([0u8; Nonce32::LENGTH]);
+        getrandom::fill(nonce.0.as_mut_slice())
+            .map_err(|_| NonceError::GetRandom)?;
+        Ok(Nonce::N32(nonce))
+    }
+}
+
+#[cfg(feature = "std")]
+impl AsRef<[u8]> for Nonce {
+    fn as_ref(&self) -> &[u8] {
+        match self {
+            Nonce::N32(n) => n.as_ref(),
+        }
+    }
+}
 
-        for byte in self.0 {
-            out.push(format!("{byte}"));
+impl TryFrom<&[u8]> for Nonce {
+    type Error = NonceError;
+
+    fn try_from(item: &[u8]) -> Result<Self, Self::Error> {
+        match item.len() {
+            Nonce32::LENGTH => {
+                // SAFETY: We've already checked the length is correct.
+                Ok(Nonce::N32(item.try_into().unwrap()))
+            }
+            len => Err(NonceError::UnsupportedLen(len)),
         }
-        let out = out.join(" ");
+    }
+}
+
+#[cfg(feature = "std")]
+impl TryFrom<Vec<u8>> for Nonce {
+    type Error = NonceError;
 
-        write!(f, "[{out}]")
+    fn try_from(item: Vec<u8>) -> Result<Self, Self::Error> {
+        item[..].try_into()
     }
 }
 
-impl Nonce {
-    #[cfg(feature = "std")]
-    pub fn from_platform_rng() -> Result<Self, AttestDataError> {
-        let mut nonce = [0u8; NONCE_SIZE];
-        getrandom::fill(&mut nonce[..])
-            .map_err(|_| AttestDataError::GetRandom)?;
-        let nonce = nonce;
+impl TryFrom<Nonce> for Nonce32 {
+    type Error = NonceError;
+
+    fn try_from(item: Nonce) -> Result<Nonce32, Self::Error> {
+        match item {
+            Nonce::N32(n) => Ok(n),
+        }
+    }
+}
+
+impl<'a> TryFrom<&'a Nonce> for &'a Nonce32 {
+    type Error = NonceError;
 
-        Ok(Self(nonce))
+    fn try_from(item: &Nonce) -> Result<&Nonce32, Self::Error> {
+        match item {
+            Nonce::N32(n) => Ok(n),
+        }
     }
 }
 
@@ -437,4 +509,24 @@ mod tests {
         }
         assert_eq!(count, 1);
     }
+
+    #[cfg(feature = "std")]
+    #[test]
+    fn nonce_from_bytes() {
+        let empty_nonce = Nonce::try_from([].as_ref());
+        assert_eq!(empty_nonce, Err(NonceError::UnsupportedLen(0)));
+
+        let short_nonce = Nonce::try_from([1].as_ref());
+        assert_eq!(short_nonce, Err(NonceError::UnsupportedLen(1)));
+
+        let n32 = [0; 32];
+        let nonce = Nonce::try_from(n32.as_ref()).expect("32-byte Nonce");
+        assert_eq!(nonce, Nonce::N32(Array(n32)));
+
+        let nonce32 = Nonce32::try_from(nonce);
+        assert_eq!(nonce32, Ok(Array(n32)));
+
+        let _ = Nonce::from_platform_rng(Nonce32::LENGTH)
+            .expect("random 32-byte Nonce");
+    }
 }

attest-data/src/messages.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-use crate::{NONCE_SIZE, SHA3_256_DIGEST_SIZE};
+use crate::{Nonce32, SHA3_256_DIGEST_SIZE};
 use hubpack::error::Error as HubpackError;
 use hubpack::SerializedSize;
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
@@ -18,7 +18,8 @@ pub const ATTEST_MAGIC: u32 = 0xA77E5700;
 const fn const_max(a: usize, b: usize) -> usize {
     [a, b][(a < b) as usize]
 }
-pub const MAX_DATA_LEN: usize = const_max(NONCE_SIZE, SHA3_256_DIGEST_SIZE);
+pub const MAX_DATA_LEN: usize =
+    const_max(Nonce32::LENGTH, SHA3_256_DIGEST_SIZE);
 
 pub const MAX_REQUEST_SIZE: usize =
     HostRotHeader::MAX_SIZE + HostToRotCommand::MAX_SIZE + MAX_DATA_LEN;
@@ -270,7 +271,7 @@ pub fn parse_message(
             }
         }
         HostToRotCommand::Attest => {
-            if leftover.len() != NONCE_SIZE {
+            if leftover.len() != Nonce32::LENGTH {
                 return Err(HostToRotError::IncorrectDataLen);
             }
         }

verifier-cli/src/main.rs

@@ -3,7 +3,7 @@
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
 use anyhow::{anyhow, Context, Result};
-use attest_data::{Attestation, Log, Nonce};
+use attest_data::{Attestation, Log, Nonce, Nonce32};
 use clap::{Parser, Subcommand, ValueEnum};
 use dice_mfg_msgs::PlatformId;
 #[cfg(feature = "ipcc")]
@@ -398,8 +398,8 @@ fn verify(
 ) -> Result<PlatformId> {
     // generate nonce from RNG
     info!("getting Nonce from platform RNG");
-    let nonce =
-        Nonce::from_platform_rng().context("Nonce from platform RNG")?;
+    let nonce = Nonce::from_platform_rng(Nonce32::LENGTH)
+        .context("Nonce from platform RNG")?;
 
     // write nonce to temp dir
     let nonce_path = work_dir.join("nonce.bin");

verifier/src/hiffy.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-use attest_data::{Attestation, Log, Nonce};
+use attest_data::{Attestation, Log, Nonce, Nonce32};
 use hubpack::SerializedSize;
 use sha3::{Digest, Sha3_256};
 use std::{
@@ -23,7 +23,7 @@ pub trait AttestSprot {
     fn attest_len(&self) -> Result<u32, AttestHiffyError>;
     fn attest(
         &self,
-        nonce: &Nonce,
+        nonce: &Nonce32,
         out: &mut [u8],
     ) -> Result<(), AttestHiffyError>;
     fn cert_chain_len(&self) -> Result<u32, AttestHiffyError>;
@@ -34,7 +34,7 @@ pub trait AttestSprot {
     fn record(&self, data: &[u8]) -> Result<(), AttestHiffyError>;
 }
 
-/// The `AttestHiffy` type can speak to the `Attest` tasks eaither the RoT
+/// The `AttestHiffy` type can speak to the `Attest` tasks via either the RoT
 /// directly or through SpRot task in the SP. This enum is used to control
 /// which.
 #[derive(Clone, Debug)]
@@ -166,13 +166,13 @@ impl AttestHiffy {
 impl AttestSprot for AttestHiffy {
     fn attest(
         &self,
-        nonce: &Nonce,
+        nonce: &Nonce32,
         out: &mut [u8],
     ) -> Result<(), AttestHiffyError> {
         let mut attestation_tmp = tempfile::NamedTempFile::new()?;
         let mut nonce_tmp = tempfile::NamedTempFile::new()?;
 
-        let mut buf = [0u8; Nonce::MAX_SIZE];
+        let mut buf = [0u8; Nonce32::MAX_SIZE];
         hubpack::serialize(&mut buf, &nonce)
             .map_err(AttestHiffyError::Serialize)?;
         nonce_tmp.write_all(&buf)?;
@@ -324,6 +324,7 @@ impl Attest for AttestHiffy {
     }
 
     fn attest(&self, nonce: &Nonce) -> Result<Attestation, AttestError> {
+        let nonce: &Nonce32 = nonce.try_into()?;
         let attest_len = self.attest_len()?;
         let mut out = vec![0u8; attest_len as usize];
         AttestSprot::attest(self, nonce, &mut out)?;

verifier/src/ipcc.rs

@@ -4,7 +4,7 @@
 
 use attest_data::{
     messages::{HostToRotCommand, RotToHost},
-    Attestation, Log, Nonce,
+    Attestation, Log, Nonce, Nonce32,
 };
 pub use libipcc::IpccError;
 use libipcc::{IpccHandle, IPCC_MAX_DATA_SIZE};
@@ -96,14 +96,15 @@ impl Attest for AttestIpcc {
     }
 
     fn attest(&self, nonce: &Nonce) -> Result<Attestation, AttestError> {
+        let nonce: &Nonce32 = nonce.try_into()?;
         let mut rot_message = vec![0; attest_data::messages::MAX_REQUEST_SIZE];
         let mut rot_resp = vec![0; IPCC_MAX_DATA_SIZE];
         let len = attest_data::messages::serialize(
             &mut rot_message,
             &HostToRotCommand::Attest,
             |buf| {
-                buf[..nonce.0.len()].copy_from_slice(nonce.as_ref());
-                32
+                buf[..Nonce32::LENGTH].copy_from_slice(nonce.as_ref());
+                Nonce32::LENGTH
             },
         )
         .map_err(AttestError::Serialize)?;

verifier/src/lib.rs

@@ -2,8 +2,8 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-use attest_data::{AttestDataError, DiceTcbInfo, Measurement, DICE_TCB_INFO};
-pub use attest_data::{Attestation, Log, Nonce};
+use attest_data::{AttestDataError, DiceTcbInfo, NonceError, DICE_TCB_INFO};
+pub use attest_data::{Attestation, Log, Measurement, Nonce, Nonce32};
 use const_oid::db::{rfc5912::ID_EC_PUBLIC_KEY, rfc8410::ID_ED_25519};
 use hubpack::SerializedSize;
 #[cfg(feature = "ipcc")]
@@ -47,6 +47,8 @@ pub enum AttestError {
     Ipcc(#[from] IpccError),
     #[error(transparent)]
     Serialize(hubpack::Error),
+    #[error(transparent)]
+    Nonce(#[from] NonceError),
 }
 
 /// The `Attest` trait is implemented by types that provide access to the RoT
@@ -550,9 +552,9 @@ pub enum VerifyAttestationError {
     Serialize(#[from] hubpack::error::Error),
     #[error("Alias public key is malformed: spki bit string has unused bits")]
     OddKey,
-    #[error("Failed to construct VerifyingKey from alias public key")]
+    #[error("Failed to construct VerifyingKey from alias public key: {0}")]
     KeyConversion(ed25519_dalek::ed25519::Error),
-    #[error("Failed to construct VerifyingKey from alias public key")]
+    #[error("Failed to verify Attestation with alias public key: {0}")]
     VerificationFailed(ed25519_dalek::ed25519::Error),
 }
 

verifier/src/mock.rs

@@ -3,7 +3,7 @@
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
 use crate::{Attest, AttestError};
-use attest_data::{Attestation, Ed25519Signature, Log, Nonce};
+use attest_data::{Attestation, Ed25519Signature, Log, Nonce, Nonce32};
 use ed25519_dalek::{
     pkcs8::{self, DecodePrivateKey},
     Signer, SigningKey,
@@ -64,6 +64,7 @@ impl Attest for AttestMock {
     }
 
     fn attest(&self, nonce: &Nonce) -> Result<Attestation, AttestError> {
+        let nonce: &Nonce32 = nonce.try_into()?;
         let mut buf = vec![0u8; Log::MAX_SIZE];
         let len = hubpack::serialize(&mut buf, &self.log)
             .map_err(AttestError::Serialize)?;