Declare crate for generated proto Rust code (project-oak#4701)

Cargo.toml

@@ -43,6 +43,7 @@ members = [
   "oak_functions_test_utils",
   "oak_hello_world_linux_init",
   "oak_launcher_utils",
+  "oak_proto_rust",
   "oak_restricted_kernel",
   "oak_restricted_kernel_dice",
   "oak_restricted_kernel_interface",
@@ -103,6 +104,7 @@ oak_grpc_utils = { path = "./oak_grpc_utils" }
 oak_launcher_utils = { path = "./oak_launcher_utils" }
 oak_linux_boot_params = { path = "./linux_boot_params" }
 oak_logger = { path = "./oak_functions/logger" }
+oak_proto_rust = { path = "./oak_proto_rust" }
 oak_restricted_kernel_dice = { path = "./oak_restricted_kernel_dice" }
 oak_restricted_kernel_sdk = { path = "./oak_restricted_kernel_sdk" }
 oak_restricted_kernel_sdk_proc_macro = { path = "./oak_restricted_kernel_sdk_proc_macro" }

oak_attestation_verification/Cargo.toml

@@ -20,8 +20,8 @@ getrandom = { version = "*", features = [
 ] }
 hex = { version = "*", default-features = false }
 oak_dice = { workspace = true }
+oak_proto_rust = { workspace = true }
 oak_sev_guest = { workspace = true }
-prost = { workspace = true }
 p256 = { version = "*", default-features = false, features = [
   "alloc",
   "ecdsa-core",
@@ -37,5 +37,5 @@ time = { version = "0.3.28", default-features = false, features = [
 ] }
 zerocopy = "*"
 
-[build-dependencies]
-prost-build = { workspace = true }
+[dev-dependencies]
+prost = { workspace = true }

oak_attestation_verification/src/claims.rs

@@ -23,13 +23,12 @@ extern crate alloc;
 
 use alloc::{collections::BTreeMap, string::String, vec::Vec};
 
+use oak_proto_rust::oak::HexDigest;
 use serde::Deserialize;
 #[cfg(feature = "std")]
 use serde::Serialize;
 use time::OffsetDateTime;
 
-use crate::proto::oak::HexDigest;
-
 /// PredicateType which identifies a V1 Claim, for in-toto statements.
 pub const CLAIM_V1: &str = "https://github.com/project-oak/transparent-release/claim/v1";
 

oak_attestation_verification/src/endorsement.rs

@@ -17,13 +17,13 @@
 //! Verifies binary endorsements as coming from Transparent Release.
 
 use base64::{prelude::BASE64_STANDARD, Engine as _};
+use oak_proto_rust::oak::HexDigest;
 
 use crate::{
     claims::{
         get_digest, parse_endorsement_statement, validate_endorsement, verify_validity_duration,
         EndorsementStatement,
     },
-    proto::oak::HexDigest,
     rekor::{get_rekor_log_entry_body, verify_rekor_log_entry},
     util::{convert_pem_to_raw, equal_keys, is_hex_digest_match, MatchResult},
 };

oak_attestation_verification/src/lib.rs

@@ -19,24 +19,6 @@
 
 extern crate alloc;
 
-// Inlined from tonic::include_proto in order to cut dependency on tonic.
-macro_rules! include_proto {
-    ($package: tt) => {
-        include!(concat!(env!("OUT_DIR"), concat!("/", $package, ".rs")));
-    };
-}
-
-pub mod proto {
-    pub mod oak {
-        include_proto!("oak");
-        pub mod attestation {
-            pub mod v1 {
-                include_proto!("oak.attestation.v1");
-            }
-        }
-    }
-}
-
 pub mod claims;
 pub mod endorsement;
 pub mod rekor;

oak_attestation_verification/src/util.rs

@@ -19,11 +19,10 @@ use core::{cmp::Ordering, str::FromStr};
 
 use base64::{prelude::BASE64_STANDARD, Engine as _};
 use ecdsa::{signature::Verifier, Signature};
+use oak_proto_rust::oak::{HexDigest, RawDigest};
 use p256::ecdsa::VerifyingKey;
 use sha2::{Digest, Sha256, Sha384, Sha512};
 
-use crate::proto::oak::{HexDigest, RawDigest};
-
 const PEM_HEADER: &str = "-----BEGIN PUBLIC KEY-----";
 const PEM_FOOTER: &str = "-----END PUBLIC KEY-----";
 

oak_attestation_verification/src/verifier.rs

@@ -27,29 +27,28 @@ use oak_dice::cert::{
     LAYER_2_CODE_MEASUREMENT_ID, LAYER_3_CODE_MEASUREMENT_ID, LAYER_3_CONFIG_MEASUREMENT_ID,
     MEMORY_MAP_MEASUREMENT_ID, SETUP_DATA_MEASUREMENT_ID, SHA2_256_ID, SYSTEM_IMAGE_LAYER_ID,
 };
+use oak_proto_rust::oak::{
+    attestation::v1::{
+        attestation_results::Status, binary_reference_value, endorsements, reference_values,
+        AmdSevReferenceValues, ApplicationKeys, ApplicationLayerEndorsements,
+        ApplicationLayerReferenceValues, AttestationResults, BinaryReferenceValue, CbEndorsements,
+        CbReferenceValues, ContainerLayerEndorsements, ContainerLayerReferenceValues, Endorsements,
+        Evidence, IntelTdxReferenceValues, KernelLayerEndorsements, KernelLayerReferenceValues,
+        LayerEvidence, OakContainersEndorsements, OakContainersReferenceValues,
+        OakRestrictedKernelEndorsements, OakRestrictedKernelReferenceValues, ReferenceValues,
+        RootLayerEndorsements, RootLayerEvidence, RootLayerReferenceValues,
+        SystemLayerEndorsements, SystemLayerReferenceValues, TeePlatform,
+        TransparentReleaseEndorsement,
+    },
+    RawDigest,
+};
 use oak_sev_guest::guest::{AttestationReport, PolicyFlags};
 use zerocopy::FromBytes;
 
 use crate::{
     alloc::string::ToString,
     claims::{get_digest, parse_endorsement_statement},
     endorsement::verify_binary_endorsement,
-    proto::oak::{
-        attestation::v1::{
-            attestation_results::Status, binary_reference_value, endorsements, reference_values,
-            AmdSevReferenceValues, ApplicationKeys, ApplicationLayerEndorsements,
-            ApplicationLayerReferenceValues, AttestationResults, BinaryReferenceValue,
-            CbEndorsements, CbReferenceValues, ContainerLayerEndorsements,
-            ContainerLayerReferenceValues, Endorsements, Evidence, IntelTdxReferenceValues,
-            KernelLayerEndorsements, KernelLayerReferenceValues, LayerEvidence,
-            OakContainersEndorsements, OakContainersReferenceValues,
-            OakRestrictedKernelEndorsements, OakRestrictedKernelReferenceValues, ReferenceValues,
-            RootLayerEndorsements, RootLayerEvidence, RootLayerReferenceValues,
-            SystemLayerEndorsements, SystemLayerReferenceValues, TeePlatform,
-            TransparentReleaseEndorsement,
-        },
-        RawDigest,
-    },
     util::{
         hex_to_raw_digest, is_hex_digest_match, is_raw_digest_match, raw_to_hex_digest, MatchResult,
     },
@@ -63,21 +62,21 @@ pub struct DiceChainResult {
     pub signing_public_key: Vec<u8>,
 }
 
-impl From<&anyhow::Result<DiceChainResult>> for AttestationResults {
-    fn from(value: &anyhow::Result<DiceChainResult>) -> Self {
-        match value {
-            Ok(dice_chain_result) => AttestationResults {
-                status: Status::Success.into(),
-                encryption_public_key: dice_chain_result.encryption_public_key.clone(),
-                signing_public_key: dice_chain_result.signing_public_key.clone(),
-                ..Default::default()
-            },
-            Err(err) => AttestationResults {
-                status: Status::GenericFailure.into(),
-                reason: err.to_string(),
-                ..Default::default()
-            },
-        }
+pub fn to_attestation_results(
+    verify_result: &anyhow::Result<DiceChainResult>,
+) -> AttestationResults {
+    match verify_result {
+        Ok(dice_chain_result) => AttestationResults {
+            status: Status::Success.into(),
+            encryption_public_key: dice_chain_result.encryption_public_key.clone(),
+            signing_public_key: dice_chain_result.signing_public_key.clone(),
+            ..Default::default()
+        },
+        Err(err) => AttestationResults {
+            status: Status::GenericFailure.into(),
+            reason: err.to_string(),
+            ..Default::default()
+        },
     }
 }
 

oak_attestation_verification/tests/endorsement_tests.rs

@@ -25,10 +25,10 @@ use oak_attestation_verification::{
         verify_binary_digest, verify_binary_endorsement, verify_endorsement_statement,
         verify_endorser_public_key,
     },
-    proto::oak::HexDigest,
     rekor::{verify_rekor_log_entry, verify_rekor_signature},
     util::{convert_pem_to_raw, MatchResult},
 };
+use oak_proto_rust::oak::HexDigest;
 
 const BINARY_DIGEST: &str = "39051983bbb600bbfb91bd22ee4c976420f8f0c6a895fd083dcb0d153ddd5fd6";
 const ENDORSEMENT_PATH: &str = "testdata/endorsement.json";