Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-22 15:00:38 -04:00
Code Issues Projects Releases Packages Wiki Activity

snp: don't print warning if no ASK is present (#3048)

Browse source 
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
This commit is contained in:
Moritz Sanft 2024-04-29 14:38:34 +02:00 committed by GitHub
parent c1740b17d9
commit 002c6fa5a4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 15 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
internal/attestation/snp/snp.go
View file

@ -12,6 +12,7 @@ import (
"bytes" "bytes"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"errors"
"fmt" "fmt"
"github.com/edgelesssys/constellation/v2/internal/attestation" "github.com/edgelesssys/constellation/v2/internal/attestation"
@ -22,6 +23,8 @@ import (
"github.com/google/go-tpm-tools/proto/attest" "github.com/google/go-tpm-tools/proto/attest"
) )
var errNoPemBlocks = errors.New("no PEM blocks found")
// Product returns the SEV product info currently supported by Constellation's SNP attestation. // Product returns the SEV product info currently supported by Constellation's SNP attestation.
func Product() *spb.SevProduct { func Product() *spb.SevProduct {
// sevProduct is the product info of the SEV platform as reported through CPUID[EAX=1]. // sevProduct is the product info of the SEV platform as reported through CPUID[EAX=1].
@ -124,7 +127,7 @@ func (a *InstanceInfo) AttestationWithCerts(getter trust.HTTPSGetter,
// If a certificate chain was pre-fetched by the Issuer, parse it and format it. // If a certificate chain was pre-fetched by the Issuer, parse it and format it.
// Make sure to only use the ask, since using an ark from the Issuer would invalidate security guarantees. // Make sure to only use the ask, since using an ark from the Issuer would invalidate security guarantees.
ask, _, err := a.ParseCertChain() ask, _, err := a.ParseCertChain()
if err != nil { if err != nil && !errors.Is(err, errNoPemBlocks) {
logger.Warn(fmt.Sprintf("Error parsing certificate chain: %v", err)) logger.Warn(fmt.Sprintf("Error parsing certificate chain: %v", err))
} }
if ask != nil { if ask != nil {
@ -222,7 +225,7 @@ func (a *InstanceInfo) ParseCertChain() (ask, ark *x509.Certificate, retErr erro
switch { switch {
case i == 1: case i == 1:
retErr = fmt.Errorf("no PEM blocks found") retErr = errNoPemBlocks
case len(rest) != 0: case len(rest) != 0:
retErr = fmt.Errorf("remaining PEM block is not a valid certificate: %s", rest) retErr = fmt.Errorf("remaining PEM block is not a valid certificate: %s", rest)
} }

14
internal/attestation/snp/snp_test.go
View file

@ -9,6 +9,7 @@ package snp
import ( import (
"crypto/x509" "crypto/x509"
"encoding/hex" "encoding/hex"
"errors"
"fmt" "fmt"
"regexp" "regexp"
"strings" "strings"
@ -34,16 +35,13 @@ func TestParseCertChain(t *testing.T) {
wantAsk bool wantAsk bool
wantArk bool wantArk bool
wantErr bool wantErr bool
errTarget error
}{ }{
"success": { "success": {
certChain: defaultCertChain, certChain: defaultCertChain,
wantAsk: true, wantAsk: true,
wantArk: true, wantArk: true,
}, },
"empty cert chain": {
certChain: []byte{},
wantErr: true,
},
"more than two certificates": { "more than two certificates": {
certChain: append(defaultCertChain, defaultCertChain...), certChain: append(defaultCertChain, defaultCertChain...),
wantErr: true, wantErr: true,
@ -52,6 +50,11 @@ func TestParseCertChain(t *testing.T) {
certChain: []byte("invalid"), certChain: []byte("invalid"),
wantErr: true, wantErr: true,
}, },
"empty cert chain": {
certChain: []byte{},
wantErr: true,
errTarget: errNoPemBlocks,
},
"ark missing": { "ark missing": {
certChain: []byte(askOnly), certChain: []byte(askOnly),
wantAsk: true, wantAsk: true,
@ -73,6 +76,9 @@ func TestParseCertChain(t *testing.T) {
ask, ark, err := instanceInfo.ParseCertChain() ask, ark, err := instanceInfo.ParseCertChain()
if tc.wantErr { if tc.wantErr {
assert.Error(err) assert.Error(err)
if tc.errTarget != nil {
assert.True(errors.Is(err, tc.errTarget))
}
} else { } else {
assert.NoError(err) assert.NoError(err)
assert.Equal(tc.wantAsk, ask != nil) assert.Equal(tc.wantAsk, ask != nil)