image-rs: get public key from CDH when verifying cosign image signatures

Signed-off-by: Xynnn007 <[email protected]>
confidential-containers · Dec 15, 2023 · 8f5e6b8 · 8f5e6b8
1 parent 1dbde25
commit 8f5e6b8
Show file tree

Hide file tree

Showing 8 changed files with 471 additions and 18 deletions.
diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs b/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs
@@ -513,8 +513,8 @@ impl ::protobuf::reflect::ProtobufValue for GetTokenResponse {
     type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage<Self>;
 }
 
-#[derive(PartialEq,Clone,Default,Debug)]
 // @@protoc_insertion_point(message:attestation_agent.ExtendRuntimeMeasurementRequest)
+#[derive(PartialEq,Clone,Default,Debug)]
 pub struct ExtendRuntimeMeasurementRequest {
     // message fields
     // @@protoc_insertion_point(field:attestation_agent.ExtendRuntimeMeasurementRequest.Events)
@@ -653,8 +653,8 @@ impl ::protobuf::reflect::ProtobufValue for ExtendRuntimeMeasurementRequest {
     type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage<Self>;
 }
 
-#[derive(PartialEq,Clone,Default,Debug)]
 // @@protoc_insertion_point(message:attestation_agent.ExtendRuntimeMeasurementResponse)
+#[derive(PartialEq,Clone,Default,Debug)]
 pub struct ExtendRuntimeMeasurementResponse {
     // special fields
     // @@protoc_insertion_point(special_field:attestation_agent.ExtendRuntimeMeasurementResponse.special_fields)

diff --git a/image-rs/Cargo.toml b/image-rs/Cargo.toml
@@ -93,6 +93,9 @@ encryption = ["ocicrypt-rs/block-cipher"]
 encryption-ring = ["ocicrypt-rs/block-cipher-ring", "encryption"]
 encryption-openssl = ["ocicrypt-rs/block-cipher-openssl", "encryption"]
 
+# Get needed image verification keys from Confidential Data Hub
+confidential-data-hub = ["dep:ttrpc", "dep:protobuf"]
+
 keywrap-cmd = ["ocicrypt-rs/keywrap-keyprovider-cmd"]
 keywrap-grpc = ["ocicrypt-rs/keywrap-keyprovider-grpc", "prost", "tonic", "tonic-build"]
 keywrap-native = ["ocicrypt-rs/keywrap-keyprovider-native", "attestation_agent"]

diff --git a/image-rs/build.rs b/image-rs/build.rs
@@ -10,18 +10,33 @@ fn main() -> Result<()> {
     tonic_build::compile_protos("./protos/getresource.proto").context("tonic build")?;
 
     #[cfg(feature = "ttrpc-codegen")]
-    ttrpc_codegen::Codegen::new()
-        .out_dir("./src/resource/kbs/ttrpc_proto")
-        .input("./protos/getresource.proto")
-        .include("./protos")
-        .rust_protobuf()
-        .customize(ttrpc_codegen::Customize {
-            async_all: true,
-            ..Default::default()
-        })
-        .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
-        .run()
-        .context("ttrpc build")?;
+    {
+        ttrpc_codegen::Codegen::new()
+            .out_dir("./src/resource/kbs/ttrpc_proto")
+            .input("./protos/getresource.proto")
+            .include("./protos")
+            .rust_protobuf()
+            .customize(ttrpc_codegen::Customize {
+                async_all: true,
+                ..Default::default()
+            })
+            .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
+            .run()
+            .context("ttrpc build")?;
 
+        #[cfg(all(feature = "signature-cosign", feature = "confidential-data-hub"))]
+        ttrpc_codegen::Codegen::new()
+            .out_dir("./src/signature/mechanism/cosign")
+            .input("./protos/cosign_pubkey.proto")
+            .include("./protos")
+            .rust_protobuf()
+            .customize(ttrpc_codegen::Customize {
+                async_all: true,
+                ..Default::default()
+            })
+            .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
+            .run()
+            .context("ttrpc build")?;
+    }
     Ok(())
 }
diff --git a/image-rs/protos/cosign_pubkey.proto b/image-rs/protos/cosign_pubkey.proto
@@ -0,0 +1,15 @@
+syntax = "proto3";
+
+package api;
+
+message GetPublicKeyRequest {
+    string KeyId = 1;
+}
+
+message GetPublicKeyResponse {
+    bytes PublicKeyPem = 1;
+}
+
+service GetPublicKeyService {
+    rpc GetPublicKey(GetPublicKeyRequest) returns (GetPublicKeyResponse) {};
+}