[dice] Add API to derive CDI_Leaf_Priv from DiceArtifacts

This function will be uses in several places for pVM
remote attestation.

Bug: 303807447
Test: atest libdiced_sample_inputs.integration_test \
libdiced_sample_inputs_nostd.integration_test

Change-Id: I6f45ff35c6e48eb42a32d28c1eb3e851859db655

diced/open_dice/src/lib.rs

@@ -40,7 +40,9 @@ pub use dice::{
     PublicKey, Signature, CDI_SIZE, HASH_SIZE, HIDDEN_SIZE, ID_SIZE, PRIVATE_KEY_SEED_SIZE,
 };
 pub use error::{DiceError, Result};
-pub use ops::{generate_certificate, hash, kdf, keypair_from_seed, sign, verify};
+pub use ops::{
+    derive_cdi_leaf_priv, generate_certificate, hash, kdf, keypair_from_seed, sign, verify,
+};
 #[cfg(feature = "alloc")]
 pub use retry::{
     retry_bcc_format_config_descriptor, retry_bcc_main_flow, retry_dice_main_flow,

diced/open_dice/src/ops.rs

@@ -17,8 +17,8 @@
 //! main DICE functions depend on.
 
 use crate::dice::{
-    Hash, InputValues, PrivateKey, PublicKey, Signature, HASH_SIZE, PRIVATE_KEY_SEED_SIZE,
-    PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, SIGNATURE_SIZE,
+    derive_cdi_private_key_seed, DiceArtifacts, Hash, InputValues, PrivateKey, PublicKey,
+    Signature, HASH_SIZE, PRIVATE_KEY_SEED_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, SIGNATURE_SIZE,
 };
 use crate::error::{check_result, Result};
 use open_dice_cbor_bindgen::{
@@ -91,6 +91,16 @@ pub fn keypair_from_seed(seed: &[u8; PRIVATE_KEY_SEED_SIZE]) -> Result<(PublicKe
     Ok((public_key, private_key))
 }
 
+/// Derives the CDI_Leaf_Priv from the provided `dice_artifacts`.
+///
+/// The corresponding public key is included in the leaf certificate of the DICE chain
+/// contained in `dice_artifacts`.
+pub fn derive_cdi_leaf_priv(dice_artifacts: &dyn DiceArtifacts) -> Result<PrivateKey> {
+    let cdi_priv_key_seed = derive_cdi_private_key_seed(dice_artifacts.cdi_attest())?;
+    let (_, private_key) = keypair_from_seed(cdi_priv_key_seed.as_array())?;
+    Ok(private_key)
+}
+
 /// Signs the `message` with the give `private_key` using `DiceSign`.
 pub fn sign(message: &[u8], private_key: &[u8; PRIVATE_KEY_SIZE]) -> Result<Signature> {
     let mut signature = [0u8; SIGNATURE_SIZE];

diced/sample_inputs/Android.bp

@@ -60,6 +60,10 @@ rust_defaults {
     crate_name: "diced_sample_inputs_test",
     srcs: ["tests/*.rs"],
     test_suites: ["general-tests"],
+    rustlibs: [
+        "libanyhow",
+        "libhwtrust",
+    ],
 }
 
 rust_test {

diced/sample_inputs/tests/api_test.rs

@@ -14,8 +14,10 @@
  * limitations under the License.
  */
 
-use diced_open_dice::DiceArtifacts;
+use anyhow::Result;
+use diced_open_dice::{derive_cdi_leaf_priv, sign, DiceArtifacts};
 use diced_sample_inputs::make_sample_bcc_and_cdis;
+use hwtrust::{dice, session::Session};
 
 const EXPECTED_SAMPLE_CDI_ATTEST: &[u8] = &[
     0x3e, 0x57, 0x65, 0x5d, 0x48, 0x02, 0xbd, 0x5c, 0x66, 0xcc, 0x1f, 0x0f, 0xbe, 0x5e, 0x32, 0xb6,
@@ -121,6 +123,7 @@ const EXPECTED_SAMPLE_BCC: &[u8] = &[
     0x78, 0x76, 0xab, 0xd0, 0xbe, 0xfc, 0xe4, 0x79, 0xcb, 0x1b, 0x2b, 0xaa, 0x4d, 0xdd, 0x15, 0x61,
     0x42, 0x06,
 ];
+const MESSAGE: &[u8] = b"Message for testing";
 
 #[test]
 fn sample_bcc_and_cdis_are_as_expected() {
@@ -129,3 +132,15 @@ fn sample_bcc_and_cdis_are_as_expected() {
     assert_eq!(dice_artifacts.cdi_seal(), EXPECTED_SAMPLE_CDI_SEAL);
     assert_eq!(dice_artifacts.bcc(), Some(EXPECTED_SAMPLE_BCC));
 }
+
+#[test]
+fn cdi_leaf_priv_corresponds_to_leaf_public_key_in_dice_chain() -> Result<()> {
+    let dice_artifacts = make_sample_bcc_and_cdis().unwrap();
+    let private_key = derive_cdi_leaf_priv(&dice_artifacts).unwrap();
+    let signature = sign(MESSAGE, private_key.as_array()).unwrap();
+
+    let session = Session::default();
+    let chain = dice::Chain::from_cbor(&session, dice_artifacts.bcc().unwrap())?;
+    let public_key = chain.leaf().subject_public_key();
+    public_key.verify(&signature, MESSAGE)
+}