Add Oak Session Low-Level SDK stub

Bug: 338559159 Change-Id: Ia07a064aa6d00d97fcf0206a26818f5e3847aafd
project-oak · May 23, 2024 · 783966f · 783966f
1 parent 04e524d
commit 783966f
Show file tree

Hide file tree

Showing 3 changed files with 185 additions and 1 deletion.
diff --git a/oak_session/src/attestation.rs b/oak_session/src/attestation.rs
@@ -14,9 +14,14 @@
 // limitations under the License.
 //
 
+//! This module provides an implementation of the Attestation Provider, which
+//! handles remote attestation between two parties.
+
+use alloc::vec::Vec;
+
 use oak_proto_rust::oak::{
     attestation::v1::{AttestationResults, Endorsements, Evidence},
-    session::v1::EndorsedEvidence,
+    session::v1::{AttestRequest, AttestResponse, EndorsedEvidence},
 };
 
 pub trait Attester {
@@ -30,3 +35,74 @@ pub trait AttestationVerifier {
         endorsements: &Endorsements,
     ) -> anyhow::Result<AttestationResults>;
 }
+
+#[allow(dead_code)]
+struct AttestationProvider<'a> {
+    self_attesters: Vec<&'a dyn Attester>,
+    peer_verifiers: Vec<&'a dyn AttestationVerifier>,
+}
+
+impl<'a> AttestationProvider<'a> {
+    pub fn new(
+        self_attesters: Vec<&'a dyn Attester>,
+        peer_verifiers: Vec<&'a dyn AttestationVerifier>,
+    ) -> Self {
+        Self { self_attesters, peer_verifiers }
+    }
+}
+
+/// Client-side Attestation Provider that initiates remote attestation with the
+/// server.
+#[allow(dead_code)]
+pub struct ClientAttestationProvider<'a> {
+    inner: AttestationProvider<'a>,
+}
+
+impl<'a> ClientAttestationProvider<'a> {
+    pub fn new(
+        self_attesters: Vec<&'a dyn Attester>,
+        peer_verifiers: Vec<&'a dyn AttestationVerifier>,
+    ) -> Self {
+        Self { inner: AttestationProvider::new(self_attesters, peer_verifiers) }
+    }
+
+    pub fn get_request(&self) -> anyhow::Result<AttestRequest> {
+        core::unimplemented!();
+    }
+
+    pub fn put_response(&self, _response: &AttestResponse) -> anyhow::Result<()> {
+        core::unimplemented!();
+    }
+
+    pub fn get_attestation_results(self) -> Option<AttestationResults> {
+        core::unimplemented!();
+    }
+}
+
+/// Server-side Attestation Provider that responds to the remote attestation
+/// request from the client.
+#[allow(dead_code)]
+pub struct ServerAttestationProvider<'a> {
+    inner: AttestationProvider<'a>,
+}
+
+impl<'a> ServerAttestationProvider<'a> {
+    pub fn new(
+        self_attesters: Vec<&'a dyn Attester>,
+        peer_verifiers: Vec<&'a dyn AttestationVerifier>,
+    ) -> Self {
+        Self { inner: AttestationProvider::new(self_attesters, peer_verifiers) }
+    }
+
+    pub fn put_request(&self, _request: &AttestRequest) -> anyhow::Result<()> {
+        core::unimplemented!();
+    }
+
+    pub fn get_response(&self) -> anyhow::Result<AttestResponse> {
+        core::unimplemented!();
+    }
+
+    pub fn get_attestation_results(self) -> Option<AttestationResults> {
+        core::unimplemented!();
+    }
+}
diff --git a/oak_session/src/handshake.rs b/oak_session/src/handshake.rs
@@ -0,0 +1,107 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+//! This module provides an implementation of the Handshaker, which
+//! handles cryptographic handshake and secure session creation.
+
+use alloc::vec::Vec;
+
+use oak_proto_rust::oak::{
+    crypto::v1::SessionKeys,
+    session::v1::{HandshakeRequest, HandshakeResponse},
+};
+
+pub trait EncryptionKeyHandle {
+    fn derive_session_keys(
+        &self,
+        static_peer_public_key: &[u8],
+        ephemeral_peer_public_key: &[u8],
+    ) -> anyhow::Result<SessionKeys>;
+}
+
+pub enum HandshakeType {
+    NoiseKK,
+    NoiseNK,
+}
+
+/// Client-side Handshaker that initiates the crypto handshake with the server.
+#[allow(dead_code)]
+pub struct ClientHandshaker<'a> {
+    handshake_type: HandshakeType,
+    self_static_private_key: Option<&'a dyn EncryptionKeyHandle>,
+    peer_static_public_key: Option<Vec<u8>>,
+}
+
+impl<'a> ClientHandshaker<'a> {
+    pub fn new(
+        handshake_type: HandshakeType,
+        self_static_private_key: Option<&'a dyn EncryptionKeyHandle>,
+        peer_static_public_key: Option<&[u8]>,
+    ) -> Self {
+        Self {
+            handshake_type,
+            self_static_private_key,
+            peer_static_public_key: peer_static_public_key.map(|k| k.to_vec()),
+        }
+    }
+
+    pub fn get_request(&mut self) -> anyhow::Result<HandshakeRequest> {
+        core::unimplemented!();
+    }
+
+    pub fn put_response(&mut self, _response: HandshakeResponse) -> anyhow::Result<()> {
+        core::unimplemented!();
+    }
+
+    pub fn derive_session_keys(self) -> Option<SessionKeys> {
+        core::unimplemented!();
+    }
+}
+
+/// Server-side Attestation Provider that responds to the crypto handshake
+/// request from the client.
+#[allow(dead_code)]
+pub struct ServerHandshaker<'a> {
+    handshake_type: HandshakeType,
+    self_static_private_key: Option<&'a dyn EncryptionKeyHandle>,
+    peer_static_public_key: Option<Vec<u8>>,
+}
+
+impl<'a> ServerHandshaker<'a> {
+    pub fn new(
+        handshake_type: HandshakeType,
+        self_static_private_key: Option<&'a dyn EncryptionKeyHandle>,
+        peer_static_public_key: Option<&[u8]>,
+    ) -> Self {
+        Self {
+            handshake_type,
+            self_static_private_key,
+            peer_static_public_key: peer_static_public_key.map(|k| k.to_vec()),
+        }
+    }
+
+    pub fn put_request(&mut self, _request: HandshakeRequest) -> anyhow::Result<()> {
+        core::unimplemented!();
+    }
+
+    pub fn get_response(&mut self) -> anyhow::Result<HandshakeResponse> {
+        core::unimplemented!();
+    }
+
+    pub fn derive_session_keys(self) -> Option<SessionKeys> {
+        core::unimplemented!();
+    }
+}
diff --git a/oak_session/src/lib.rs b/oak_session/src/lib.rs
@@ -23,6 +23,7 @@ extern crate std;
 
 pub mod attestation;
 pub mod config;
+pub mod handshake;
 mod session;
 
 pub use session::{ClientSession, ServerSession, Session};