From 41e223d8a3abd5b42d675fc09cd58886b1410654 Mon Sep 17 00:00:00 2001
From: Chris Frantz <cfrantz@google.com>
Date: Thu, 4 Jan 2024 14:31:36 -0800
Subject: [PATCH] [signing] More signing automation

Automate the offline portion of the signing procedure by providing a
JSON file of signing directives.  Rather than having to manually enter a
command line per file to sign, one can simply provide the json file to
the `exec` command:

```
hsmtool --profile earlgrey_a0 exec signing_directives.json
```

The signing directives file will contain a command specification for
each signable input provided to the `srcs` attribute of the
`offline_presigning_artifacts` rule.

Signed-off-by: Chris Frantz <cfrantz@google.com>
---
 rules/signing.bzl | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/rules/signing.bzl b/rules/signing.bzl
index 8628abc30bb77..3c8287617fa53 100644
--- a/rules/signing.bzl
+++ b/rules/signing.bzl
@@ -108,6 +108,7 @@ def _presigning_artifacts(ctx, opentitantool, src, manifest, rsa_key, spx_key, b
     else:
         basename = paths.replace_extension(basename, "")
 
+    signing_directives = []
     pre = ctx.actions.declare_file("{}.pre-signing".format(basename))
     inputs = [
         src,
@@ -152,6 +153,15 @@ def _presigning_artifacts(ctx, opentitantool, src, manifest, rsa_key, spx_key, b
         executable = opentitantool,
         mnemonic = "PreSigningDigest",
     )
+    signing_directives.append(struct(
+        command = "rsa-sign",
+        id = None,
+        label = rsa_key.name,
+        format = "Sha256Hash",
+        little_endian = True,
+        output = "{}.rsa_sig".format(basename),
+        input = "{}.digest".format(basename),
+    ))
 
     # Compute message to be signed with SPX+.
     spxmsg = None
@@ -171,7 +181,10 @@ def _presigning_artifacts(ctx, opentitantool, src, manifest, rsa_key, spx_key, b
             executable = opentitantool,
             mnemonic = "PreSigningSpxMessage",
         )
-    return struct(pre = pre, digest = digest, spxmsg = spxmsg)
+        # TODO(cfrantz): After adding SPX support to hsmtool, append an appropriate
+        # signing directive here.
+
+    return struct(pre = pre, digest = digest, spxmsg = spxmsg, script = signing_directives)
 
 def _local_sign(ctx, tool, digest, rsa_key, spxmsg = None, spx_key = None, profile = None):
     """Sign a digest with a local on-disk RSA private key.
@@ -309,6 +322,7 @@ def _offline_presigning_artifacts(ctx):
     spx_key = key_from_dict(ctx.attr.spx_key, "spx_key")
     digests = []
     bins = []
+    script = []
     for src in get_binary_files(ctx.attr.srcs):
         artifacts = _presigning_artifacts(
             ctx,
@@ -320,12 +334,20 @@ def _offline_presigning_artifacts(ctx):
         )
         bins.append(artifacts.pre)
         digests.append(artifacts.digest)
+        script.extend(artifacts.script)
         if artifacts.spxmsg:
             digests.append(artifacts.spxmsg)
+
+    default_files = digests
+    if script:
+        script_file = ctx.actions.declare_file("{}.json".format(ctx.attr.name))
+        ctx.actions.write(script_file, json.encode_indent(script, indent = "  ") + "\n")
+        default_files.append(script_file)
+
     return [
-        DefaultInfo(files = depset(digests), data_runfiles = ctx.runfiles(files = digests)),
+        DefaultInfo(files = depset(default_files), data_runfiles = ctx.runfiles(files = default_files)),
         PreSigningBinaryInfo(files = depset(bins)),
-        OutputGroupInfo(digest = depset(digests), binary = depset(bins)),
+        OutputGroupInfo(digest = depset(digests), binary = depset(bins), script = depset([script_file])),
     ]
 
 offline_presigning_artifacts = rule(