(
seed: &[u8],
provider: KeyProviderKind,
mr: Option<Vec<u8>>,
)
| 375 | } |
| 376 | |
| 377 | fn gen_app_keys_from_seed( |
| 378 | seed: &[u8], |
| 379 | provider: KeyProviderKind, |
| 380 | mr: Option<Vec<u8>>, |
| 381 | ) -> Result<AppKeys> { |
| 382 | let key = derive_p256_key_pair_from_bytes(seed, &["app-key".as_bytes()])?; |
| 383 | let disk_key = derive_p256_key_pair_from_bytes(seed, &["app-disk-key".as_bytes()])?; |
| 384 | let k256_key = derive_key(seed, &["app-k256-key".as_bytes()], 32)?; |
| 385 | let k256_key = SigningKey::from_bytes(&k256_key).context("Failed to parse k256 key")?; |
| 386 | let key_provider = match provider { |
| 387 | KeyProviderKind::None => KeyProvider::None { |
| 388 | key: key.serialize_pem(), |
| 389 | }, |
| 390 | KeyProviderKind::Local => KeyProvider::Local { |
| 391 | mr: mr.context("Missing MR for local key provider")?, |
| 392 | key: key.serialize_pem(), |
| 393 | }, |
| 394 | KeyProviderKind::Tpm => KeyProvider::Tpm { |
| 395 | key: key.serialize_pem(), |
| 396 | pubkey: key.public_key_der(), |
| 397 | }, |
| 398 | KeyProviderKind::Kms => { |
| 399 | anyhow::bail!("KMS keys must be fetched from the KMS server") |
| 400 | } |
| 401 | }; |
| 402 | make_app_keys(&key, &disk_key, &k256_key, 1, key_provider) |
| 403 | } |
| 404 | |
| 405 | fn make_app_keys( |
| 406 | app_key: &KeyPair, |
no test coverage detected