Parse and verify certificate for AmdSevSnpTransparentDiceAttestationVerifier

This changes adds the remaining verification logic for the
`AmdSevSnpTransparentDiceAttestationVerifier` verifier. In addition to
verifying the transparent evidence, it will also verify that the
`Evidence.signed_user_data_certificate` was signed by the final layer's
key and extract the bytes. It places these bytes into an
`EventAttestationResults` proto with a single entry. The key to this
entry is "user-data-payload" which is hardcoded.

Bug: 483663538
Change-Id: I036e106fc366d7c1eda8ce2c19f318858df912ad

Author: pmcgrath17

oak_attestation_verification/src/results.rs

@@ -39,6 +39,10 @@ const HYBRID_ENCRYPTION_PUBLIC_KEY_ID: &str = "oak-hybrid-encryption-public-key:
 /// signed by the enclave.
 const SIGNING_PUBLIC_KEY_ID: &str = "oak-signing-public-key:ecdsa-p256";
 
+/// Denotes an artifact ID of the user data payload extracted from the signed
+/// user data certificate in the attestation evidence.
+const USER_DATA_PAYLOAD_ID: &str = "user-data-payload";
+
 pub fn get_initial_measurement(results: &EventAttestationResults) -> Option<&Vec<u8>> {
     results.artifacts.get(INITIAL_MEASUREMENT_ID)
 }
@@ -85,6 +89,10 @@ pub fn set_signing_public_key(results: &mut EventAttestationResults, key: &[u8])
     results.artifacts.insert(SIGNING_PUBLIC_KEY_ID.to_string(), key.to_vec());
 }
 
+pub fn set_user_data_payload(results: &mut EventAttestationResults, payload: &[u8]) {
+    results.artifacts.insert(USER_DATA_PAYLOAD_ID.to_string(), payload.to_vec());
+}
+
 /// Returns a reference to the event artifact in the attestation results
 /// specified by the given ID, or an error if that reference does not exist,
 /// or if there is more than a single reference (`artifact_id` key exists

oak_attestation_verification/src/verifier.rs

@@ -24,8 +24,9 @@ use ecdsa::{Signature, signature::Verifier};
 use oak_attestation_verification_types::verifier::AttestationVerifier;
 use oak_dice::cert::{cose_key_to_verifying_key, get_public_key_from_claims_set};
 use oak_proto_rust::oak::attestation::v1::{
-    AttestationResults, Endorsements, EventLog, Evidence, ExpectedValues, ExtractedEvidence,
-    LayerEvidence, ReferenceValues, attestation_results::Status, endorsements, expected_values,
+    AttestationResults, Endorsements, EventAttestationResults, EventLog, Evidence, ExpectedValues,
+    ExtractedEvidence, LayerEvidence, ReferenceValues, attestation_results::Status, endorsements,
+    expected_values,
 };
 use oak_time::{Clock, Instant};
 use p256::ecdsa::VerifyingKey;
@@ -35,6 +36,7 @@ use crate::{
     expect::get_expected_values,
     extract::{EventIdType, claims_set_from_serialized_cert, extract_event_data, extract_evidence},
     platform::verify_root_attestation_signature,
+    results::set_user_data_payload,
 };
 
 // We don't use additional authenticated data.
@@ -433,6 +435,39 @@ pub fn verify_dice_chain_and_extract_evidence(
     extract_evidence(evidence)
 }
 
+/// Verifies the signed user data certificate and returns an
+/// [`EventAttestationResults`] containing the payload bytes.
+///
+/// Parses the provided `signed_user_data_certificate` bytes as a COSE_Sign1
+/// structure, verifies its signature using the given `verifying_key`, and
+/// returns the payload as an `EventAttestationResults` with the
+/// `user-data-payload` artifact key.
+pub fn verify_user_data_certificate(
+    signed_user_data_certificate: &[u8],
+    verifying_key: &VerifyingKey,
+) -> anyhow::Result<EventAttestationResults> {
+    // Parse the signed user data certificate as a COSE_Sign1 structure.
+    let user_data_cert = coset::CoseSign1::from_slice(signed_user_data_certificate)
+        .map_err(|_cose_err| anyhow::anyhow!("could not parse signed user data certificate"))?;
+
+    // Verify the signature using the provided verification key.
+    user_data_cert
+        .verify_signature(ADDITIONAL_DATA, |signature, contents| {
+            let sig = Signature::from_slice(signature)?;
+            verifying_key.verify(contents, &sig)
+        })
+        .map_err(|error| anyhow::anyhow!(error))
+        .context("verifying signed user data certificate signature")?;
+
+    // Extract the payload bytes and wrap in an EventAttestationResults.
+    let payload = user_data_cert
+        .payload
+        .ok_or_else(|| anyhow::anyhow!("no payload in signed user data certificate"))?;
+    let mut results = EventAttestationResults::default();
+    set_user_data_payload(&mut results, &payload);
+    Ok(results)
+}
+
 /// Validates that the digest of the events captured in the event log are
 /// correctly described in the claims of the associated dice layers.
 // Claim entries are under different keys for standard events and transparent

oak_attestation_verification/src/verifiers.rs

@@ -47,7 +47,7 @@ use crate::{
         system::SystemPolicy,
     },
     results::get_initial_measurement,
-    verifier::{EventLogType, verify_dice_chain},
+    verifier::{EventLogType, verify_dice_chain, verify_user_data_certificate},
 };
 
 // Base AMD SEV-SNP verifier that validates AMD SEV-SNP platform authenticity
@@ -203,10 +203,11 @@ impl AttestationVerifier for AmdSevSnpTransparentDiceAttestationVerifier {
             .context("verifying platform policy")?;
 
         // Verify DICE chain integrity.
-        // The output argument is ommited because last layer's certificate authority key
-        // is not used to sign anything.
-        let _ = verify_dice_chain(evidence, EventLogType::TransparentEventLog)
-            .context("verifying DICE chain")?;
+        // The output argument is recorded because it can be used to verify the
+        // `Evidence.signed_user_data_certificate` structure.
+        let last_layer_verifying_key =
+            verify_dice_chain(evidence, EventLogType::TransparentEventLog)
+                .context("verifying DICE chain")?;
 
         let firmware_results = self
             .base_verifier
@@ -231,6 +232,17 @@ impl AttestationVerifier for AmdSevSnpTransparentDiceAttestationVerifier {
             event_attestation_results.extend(results);
         }
 
+        // Attestation has been verified. We now verify the signed user data
+        // certificate, if present.
+        if !evidence.signed_user_data_certificate.is_empty() {
+            let user_data_result = verify_user_data_certificate(
+                &evidence.signed_user_data_certificate,
+                &last_layer_verifying_key,
+            )
+            .context("verifying signed user data certificate")?;
+            event_attestation_results.push(user_data_result);
+        }
+
         Ok(AttestationResults {
             status: Status::Success.into(),
             extracted_evidence: None,