Add Signing Key Handle to Oak Containers C++ SDK

Bug: 345761932
Change-Id: I3e32af292440b385cbd323a696624fd7f52bd318

cc/containers/sdk/BUILD

@@ -67,3 +67,16 @@ cc_library(
         "@com_google_absl//absl/strings",
     ],
 )
+
+cc_library(
+    name = "signing_key_handle",
+    srcs = ["signing_key_handle.cc"],
+    hdrs = ["signing_key_handle.h"],
+    deps = [
+        ":orchestrator_crypto_client",
+        "//cc/crypto:signing_key",
+        "//proto/crypto:crypto_cc_proto",
+        "@com_google_absl//absl/status:statusor",
+        "@com_google_absl//absl/strings",
+    ],
+)

cc/containers/sdk/orchestrator_crypto_client.cc

@@ -21,6 +21,7 @@
 
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
+#include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 #include "cc/containers/sdk/common.h"
 #include "grpcpp/client_context.h"
@@ -31,11 +32,14 @@
 namespace oak::containers::sdk {
 
 namespace {
-using ::grpc::ClientContext;
+using grpc::ClientContext;
 using ::oak::containers::v1::DeriveSessionKeysRequest;
 using ::oak::containers::v1::DeriveSessionKeysResponse;
 using ::oak::containers::v1::KeyOrigin;
+using ::oak::containers::v1::SignRequest;
+using ::oak::containers::v1::SignResponse;
 using ::oak::crypto::v1::SessionKeys;
+using ::oak::crypto::v1::Signature;
 }  // namespace
 
 absl::StatusOr<SessionKeys> OrchestratorCryptoClient::DeriveSessionKeys(
@@ -49,13 +53,33 @@ absl::StatusOr<SessionKeys> OrchestratorCryptoClient::DeriveSessionKeys(
       serialized_encapsulated_public_key);
   DeriveSessionKeysResponse response;
 
-  ::grpc::Status status =
-      stub_->DeriveSessionKeys(&context, request, &response);
+  grpc::Status status = stub_->DeriveSessionKeys(&context, request, &response);
   if (!status.ok()) {
-    return absl::InternalError("couldn't derive session keys");
+    return absl::InternalError(
+        absl::StrCat("couldn't derive session keys: code=", status.error_code(),
+                     ", message=", status.error_message()));
   }
 
   return response.session_keys();
 }
 
+absl::StatusOr<Signature> OrchestratorCryptoClient::Sign(
+    KeyOrigin key_origin, absl::string_view message) const {
+  ClientContext context;
+  context.set_authority(kContextAuthority);
+  SignRequest request;
+  request.set_key_origin(key_origin);
+  request.set_message(message);
+  SignResponse response;
+
+  grpc::Status status = stub_->Sign(&context, request, &response);
+  if (!status.ok()) {
+    return absl::InternalError(
+        absl::StrCat("couldn't sign message: code=", status.error_code(),
+                     ", message=", status.error_message()));
+  }
+
+  return response.signature();
+}
+
 }  // namespace oak::containers::sdk

cc/containers/sdk/orchestrator_crypto_client.h

@@ -40,6 +40,10 @@ class OrchestratorCryptoClient {
       ::oak::containers::v1::KeyOrigin key_origin,
       absl::string_view serialized_encapsulated_public_key) const;
 
+  absl::StatusOr<::oak::crypto::v1::Signature> Sign(
+      ::oak::containers::v1::KeyOrigin key_origin,
+      absl::string_view message) const;
+
  private:
   explicit OrchestratorCryptoClient(
       const std::shared_ptr<grpc::Channel>& channel)

cc/containers/sdk/signing_key_handle.cc

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2024 The Project Oak Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "cc/containers/sdk/signing_key_handle.h"
+
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+
+namespace oak::containers::sdk {
+
+namespace {
+using ::oak::containers::v1::KeyOrigin;
+using ::oak::crypto::v1::Signature;
+}  // namespace
+
+absl::StatusOr<Signature> InstanceSigningKeyHandle::Sign(
+    absl::string_view message) {
+  return orchestrator_crypto_client_.Sign(KeyOrigin::INSTANCE, message);
+}
+
+absl::StatusOr<Signature> GroupSigningKeyHandle::Sign(
+    absl::string_view message) {
+  return orchestrator_crypto_client_.Sign(KeyOrigin::GROUP, message);
+}
+
+}  // namespace oak::containers::sdk

cc/containers/sdk/signing_key_handle.h

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2024 The Project Oak Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef CC_CONTAINERS_SDK_SIGNING_KEY_HANDLE_H_
+#define CC_CONTAINERS_SDK_SIGNING_KEY_HANDLE_H_
+
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "cc/containers/sdk/orchestrator_crypto_client.h"
+#include "cc/crypto/signing_key.h"
+
+namespace oak::containers::sdk {
+
+class InstanceSigningKeyHandle : public ::oak::crypto::SigningKeyHandle {
+ public:
+  absl::StatusOr<::oak::crypto::v1::Signature> Sign(
+      absl::string_view message) override;
+
+ private:
+  OrchestratorCryptoClient orchestrator_crypto_client_;
+};
+
+class GroupSigningKeyHandle : public ::oak::crypto::SigningKeyHandle {
+ public:
+  absl::StatusOr<::oak::crypto::v1::Signature> Sign(
+      absl::string_view message) override;
+
+ private:
+  OrchestratorCryptoClient orchestrator_crypto_client_;
+};
+
+}  // namespace oak::containers::sdk
+
+#endif  // THIRD_PARTY_OAK_CC_CONTAINERS_SIGNING_KEY_HANDLE_H_

cc/crypto/BUILD

@@ -70,6 +70,17 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "signing_key",
+    hdrs = ["signing_key.h"],
+    deps = [
+        ":common",
+        "//proto/crypto:crypto_cc_proto",
+        "@com_google_absl//absl/status:statusor",
+        "@com_google_absl//absl/strings",
+    ],
+)
+
 cc_test(
     name = "encryptor_test",
     size = "small",

cc/crypto/signing_key.h

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2024 The Project Oak Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef CC_CRYPTO_SIGNING_KEY_H_
+#define CC_CRYPTO_SIGNING_KEY_H_
+
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "proto/crypto/crypto.pb.h"
+
+namespace oak::crypto {
+
+class SigningKeyHandle {
+ public:
+  virtual absl::StatusOr<::oak::crypto::v1::Signature> Sign(
+      absl::string_view message) = 0;
+
+  virtual ~SigningKeyHandle() = default;
+};
+
+}  // namespace oak::crypto
+
+#endif  // CC_CRYPTO_SIGNING_KEY_H_