snp: don't print warning if no ASK is present (#3048)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
This commit is contained in:
Moritz Sanft
GitHub
parent
c1740b17d9
commit
002c6fa5a4
|
|
@ -12,6 +12,7 @@ import (
|
|||
"bytes"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/attestation"
|
||||
|
|
@ -22,6 +23,8 @@ import (
|
|||
"github.com/google/go-tpm-tools/proto/attest"
|
||||
)
|
||||
|
||||
var errNoPemBlocks = errors.New("no PEM blocks found")
|
||||
|
||||
// Product returns the SEV product info currently supported by Constellation's SNP attestation.
|
||||
func Product() *spb.SevProduct {
|
||||
// sevProduct is the product info of the SEV platform as reported through CPUID[EAX=1].
|
||||
|
|
@ -124,7 +127,7 @@ func (a *InstanceInfo) AttestationWithCerts(getter trust.HTTPSGetter,
|
|||
// If a certificate chain was pre-fetched by the Issuer, parse it and format it.
|
||||
// Make sure to only use the ask, since using an ark from the Issuer would invalidate security guarantees.
|
||||
ask, _, err := a.ParseCertChain()
|
||||
if err != nil {
|
||||
if err != nil && !errors.Is(err, errNoPemBlocks) {
|
||||
logger.Warn(fmt.Sprintf("Error parsing certificate chain: %v", err))
|
||||
}
|
||||
if ask != nil {
|
||||
|
|
@ -222,7 +225,7 @@ func (a *InstanceInfo) ParseCertChain() (ask, ark *x509.Certificate, retErr erro
|
|||
|
||||
switch {
|
||||
case i == 1:
|
||||
retErr = fmt.Errorf("no PEM blocks found")
|
||||
retErr = errNoPemBlocks
|
||||
case len(rest) != 0:
|
||||
retErr = fmt.Errorf("remaining PEM block is not a valid certificate: %s", rest)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ package snp
|
|||
import (
|
||||
"crypto/x509"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"fmt"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
|
@ -34,16 +35,13 @@ func TestParseCertChain(t *testing.T) {
|
|||
wantAsk bool
|
||||
wantArk bool
|
||||
wantErr bool
|
||||
errTarget error
|
||||
}{
|
||||
"success": {
|
||||
certChain: defaultCertChain,
|
||||
wantAsk: true,
|
||||
wantArk: true,
|
||||
},
|
||||
"empty cert chain": {
|
||||
certChain: []byte{},
|
||||
wantErr: true,
|
||||
},
|
||||
"more than two certificates": {
|
||||
certChain: append(defaultCertChain, defaultCertChain...),
|
||||
wantErr: true,
|
||||
|
|
@ -52,6 +50,11 @@ func TestParseCertChain(t *testing.T) {
|
|||
certChain: []byte("invalid"),
|
||||
wantErr: true,
|
||||
},
|
||||
"empty cert chain": {
|
||||
certChain: []byte{},
|
||||
wantErr: true,
|
||||
errTarget: errNoPemBlocks,
|
||||
},
|
||||
"ark missing": {
|
||||
certChain: []byte(askOnly),
|
||||
wantAsk: true,
|
||||
|
|
@ -73,6 +76,9 @@ func TestParseCertChain(t *testing.T) {
|
|||
ask, ark, err := instanceInfo.ParseCertChain()
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
if tc.errTarget != nil {
|
||||
assert.True(errors.Is(err, tc.errTarget))
|
||||
}
|
||||
} else {
|
||||
assert.NoError(err)
|
||||
assert.Equal(tc.wantAsk, ask != nil)
|
||||
|
|
|
|||
Loading…
Reference in New Issue