From 002c6fa5a495aca07ff3d4f6b40a635049776aaa Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Mon, 29 Apr 2024 14:38:34 +0200
Subject: [PATCH] snp: don't print warning if no ASK is present (#3048)

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---
 internal/attestation/snp/snp.go      |  7 +++++--
 internal/attestation/snp/snp_test.go | 14 ++++++++++----
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/internal/attestation/snp/snp.go b/internal/attestation/snp/snp.go
index c341e31fa..685af7792 100644
--- a/internal/attestation/snp/snp.go
+++ b/internal/attestation/snp/snp.go
@@ -12,6 +12,7 @@ import (
 	"bytes"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
 
 	"github.com/edgelesssys/constellation/v2/internal/attestation"
@@ -22,6 +23,8 @@ import (
 	"github.com/google/go-tpm-tools/proto/attest"
 )
 
+var errNoPemBlocks = errors.New("no PEM blocks found")
+
 // Product returns the SEV product info currently supported by Constellation's SNP attestation.
 func Product() *spb.SevProduct {
 	// sevProduct is the product info of the SEV platform as reported through CPUID[EAX=1].
@@ -124,7 +127,7 @@ func (a *InstanceInfo) AttestationWithCerts(getter trust.HTTPSGetter,
 	// If a certificate chain was pre-fetched by the Issuer, parse it and format it.
 	// Make sure to only use the ask, since using an ark from the Issuer would invalidate security guarantees.
 	ask, _, err := a.ParseCertChain()
-	if err != nil {
+	if err != nil && !errors.Is(err, errNoPemBlocks) {
 		logger.Warn(fmt.Sprintf("Error parsing certificate chain: %v", err))
 	}
 	if ask != nil {
@@ -222,7 +225,7 @@ func (a *InstanceInfo) ParseCertChain() (ask, ark *x509.Certificate, retErr erro
 
 	switch {
 	case i == 1:
-		retErr = fmt.Errorf("no PEM blocks found")
+		retErr = errNoPemBlocks
 	case len(rest) != 0:
 		retErr = fmt.Errorf("remaining PEM block is not a valid certificate: %s", rest)
 	}
diff --git a/internal/attestation/snp/snp_test.go b/internal/attestation/snp/snp_test.go
index 2eaf3e52a..366a3ba4a 100644
--- a/internal/attestation/snp/snp_test.go
+++ b/internal/attestation/snp/snp_test.go
@@ -9,6 +9,7 @@ package snp
 import (
 	"crypto/x509"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"regexp"
 	"strings"
@@ -34,16 +35,13 @@ func TestParseCertChain(t *testing.T) {
 		wantAsk   bool
 		wantArk   bool
 		wantErr   bool
+		errTarget error
 	}{
 		"success": {
 			certChain: defaultCertChain,
 			wantAsk:   true,
 			wantArk:   true,
 		},
-		"empty cert chain": {
-			certChain: []byte{},
-			wantErr:   true,
-		},
 		"more than two certificates": {
 			certChain: append(defaultCertChain, defaultCertChain...),
 			wantErr:   true,
@@ -52,6 +50,11 @@ func TestParseCertChain(t *testing.T) {
 			certChain: []byte("invalid"),
 			wantErr:   true,
 		},
+		"empty cert chain": {
+			certChain: []byte{},
+			wantErr:   true,
+			errTarget: errNoPemBlocks,
+		},
 		"ark missing": {
 			certChain: []byte(askOnly),
 			wantAsk:   true,
@@ -73,6 +76,9 @@ func TestParseCertChain(t *testing.T) {
 			ask, ark, err := instanceInfo.ParseCertChain()
 			if tc.wantErr {
 				assert.Error(err)
+				if tc.errTarget != nil {
+					assert.True(errors.Is(err, tc.errTarget))
+				}
 			} else {
 				assert.NoError(err)
 				assert.Equal(tc.wantAsk, ask != nil)