diff --git a/internal/attestation/snp/snp.go b/internal/attestation/snp/snp.go index c341e31fa..685af7792 100644 --- a/internal/attestation/snp/snp.go +++ b/internal/attestation/snp/snp.go @@ -12,6 +12,7 @@ import ( "bytes" "crypto/x509" "encoding/pem" + "errors" "fmt" "github.com/edgelesssys/constellation/v2/internal/attestation" @@ -22,6 +23,8 @@ import ( "github.com/google/go-tpm-tools/proto/attest" ) +var errNoPemBlocks = errors.New("no PEM blocks found") + // Product returns the SEV product info currently supported by Constellation's SNP attestation. func Product() *spb.SevProduct { // sevProduct is the product info of the SEV platform as reported through CPUID[EAX=1]. @@ -124,7 +127,7 @@ func (a *InstanceInfo) AttestationWithCerts(getter trust.HTTPSGetter, // If a certificate chain was pre-fetched by the Issuer, parse it and format it. // Make sure to only use the ask, since using an ark from the Issuer would invalidate security guarantees. ask, _, err := a.ParseCertChain() - if err != nil { + if err != nil && !errors.Is(err, errNoPemBlocks) { logger.Warn(fmt.Sprintf("Error parsing certificate chain: %v", err)) } if ask != nil { @@ -222,7 +225,7 @@ func (a *InstanceInfo) ParseCertChain() (ask, ark *x509.Certificate, retErr erro switch { case i == 1: - retErr = fmt.Errorf("no PEM blocks found") + retErr = errNoPemBlocks case len(rest) != 0: retErr = fmt.Errorf("remaining PEM block is not a valid certificate: %s", rest) } diff --git a/internal/attestation/snp/snp_test.go b/internal/attestation/snp/snp_test.go index 2eaf3e52a..366a3ba4a 100644 --- a/internal/attestation/snp/snp_test.go +++ b/internal/attestation/snp/snp_test.go @@ -9,6 +9,7 @@ package snp import ( "crypto/x509" "encoding/hex" + "errors" "fmt" "regexp" "strings" @@ -34,16 +35,13 @@ func TestParseCertChain(t *testing.T) { wantAsk bool wantArk bool wantErr bool + errTarget error }{ "success": { certChain: defaultCertChain, wantAsk: true, wantArk: true, }, - "empty cert chain": { - certChain: []byte{}, - wantErr: true, - }, "more than two certificates": { certChain: append(defaultCertChain, defaultCertChain...), wantErr: true, @@ -52,6 +50,11 @@ func TestParseCertChain(t *testing.T) { certChain: []byte("invalid"), wantErr: true, }, + "empty cert chain": { + certChain: []byte{}, + wantErr: true, + errTarget: errNoPemBlocks, + }, "ark missing": { certChain: []byte(askOnly), wantAsk: true, @@ -73,6 +76,9 @@ func TestParseCertChain(t *testing.T) { ask, ark, err := instanceInfo.ParseCertChain() if tc.wantErr { assert.Error(err) + if tc.errTarget != nil { + assert.True(errors.Is(err, tc.errTarget)) + } } else { assert.NoError(err) assert.Equal(tc.wantAsk, ask != nil)