snp: don't print warning if no ASK is present (#3048)

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2025-01-11 23:49:30 -05:00 · 2024-04-29 14:38:34 +02:00 · 2024-04-29 14:38:34 +02:00 · 002c6fa5a4
commit 002c6fa5a4
parent c1740b17d9
2 changed files with 15 additions and 6 deletions
--- a/internal/attestation/snp/snp.go
+++ b/internal/attestation/snp/snp.go
@ -12,6 +12,7 @@ import (
 	"bytes"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"

 	"github.com/edgelesssys/constellation/v2/internal/attestation"
@ -22,6 +23,8 @@ import (
 	"github.com/google/go-tpm-tools/proto/attest"
 )

+var errNoPemBlocks = errors.New("no PEM blocks found")
+
 // Product returns the SEV product info currently supported by Constellation's SNP attestation.
 func Product() *spb.SevProduct {
 	// sevProduct is the product info of the SEV platform as reported through CPUID[EAX=1].
@ -124,7 +127,7 @@ func (a *InstanceInfo) AttestationWithCerts(getter trust.HTTPSGetter,
 	// If a certificate chain was pre-fetched by the Issuer, parse it and format it.
 	// Make sure to only use the ask, since using an ark from the Issuer would invalidate security guarantees.
 	ask, _, err := a.ParseCertChain()
-	if err != nil {
+	if err != nil && !errors.Is(err, errNoPemBlocks) {
 		logger.Warn(fmt.Sprintf("Error parsing certificate chain: %v", err))
 	}
 	if ask != nil {
@ -222,7 +225,7 @@ func (a *InstanceInfo) ParseCertChain() (ask, ark *x509.Certificate, retErr erro

 	switch {
 	case i == 1:
-		retErr = fmt.Errorf("no PEM blocks found")
+		retErr = errNoPemBlocks
 	case len(rest) != 0:
 		retErr = fmt.Errorf("remaining PEM block is not a valid certificate: %s", rest)
 	}
--- a/internal/attestation/snp/snp_test.go
+++ b/internal/attestation/snp/snp_test.go
@ -9,6 +9,7 @@ package snp
 import (
 	"crypto/x509"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"regexp"
 	"strings"
@ -34,16 +35,13 @@ func TestParseCertChain(t *testing.T) {
 		wantAsk   bool
 		wantArk   bool
 		wantErr   bool
+		errTarget error
 	}{
 		"success": {
 			certChain: defaultCertChain,
 			wantAsk:   true,
 			wantArk:   true,
 		},
-		"empty cert chain": {
-			certChain: []byte{},
-			wantErr:   true,
-		},
 		"more than two certificates": {
 			certChain: append(defaultCertChain, defaultCertChain...),
 			wantErr:   true,
@ -52,6 +50,11 @@ func TestParseCertChain(t *testing.T) {
 			certChain: []byte("invalid"),
 			wantErr:   true,
 		},
+		"empty cert chain": {
+			certChain: []byte{},
+			wantErr:   true,
+			errTarget: errNoPemBlocks,
+		},
 		"ark missing": {
 			certChain: []byte(askOnly),
 			wantAsk:   true,
@ -73,6 +76,9 @@ func TestParseCertChain(t *testing.T) {
 			ask, ark, err := instanceInfo.ParseCertChain()
 			if tc.wantErr {
 				assert.Error(err)
+				if tc.errTarget != nil {
+					assert.True(errors.Is(err, tc.errTarget))
+				}
 			} else {
 				assert.NoError(err)
 				assert.Equal(tc.wantAsk, ask != nil)