From 292f8eef21284a5dfd5981fb334a9611c8a5f989 Mon Sep 17 00:00:00 2001 From: Thomas Tendyck Date: Sun, 12 Feb 2023 17:33:33 +0100 Subject: [PATCH] attestation: remove VerifyUserData --- internal/attestation/aws/validator.go | 1 - internal/attestation/azure/snp/validator.go | 1 - .../azure/trustedlaunch/validator.go | 1 - internal/attestation/gcp/validator.go | 1 - internal/attestation/qemu/validator.go | 1 - internal/attestation/vtpm/attestation.go | 31 +++++-------------- internal/attestation/vtpm/attestation_test.go | 19 ++++++------ 7 files changed, 17 insertions(+), 38 deletions(-) diff --git a/internal/attestation/aws/validator.go b/internal/attestation/aws/validator.go index b8d182869..99fafe1cc 100644 --- a/internal/attestation/aws/validator.go +++ b/internal/attestation/aws/validator.go @@ -35,7 +35,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator { pcrs, getTrustedKey, v.tpmEnabled, - vtpm.VerifyPKCS1v15, log, ) v.getDescribeClient = getEC2Client diff --git a/internal/attestation/azure/snp/validator.go b/internal/attestation/azure/snp/validator.go index c08723862..cffc1e1e5 100644 --- a/internal/attestation/azure/snp/validator.go +++ b/internal/attestation/azure/snp/validator.go @@ -49,7 +49,6 @@ func NewValidator(pcrs measurements.M, idKeyDigests idkeydigest.IDKeyDigests, en pcrs, getTrustedKey(&azureInstanceInfo{}, idKeyDigests, enforceIDKeyDigest, log), validateCVM, - vtpm.VerifyPKCS1v15, log, ), } diff --git a/internal/attestation/azure/trustedlaunch/validator.go b/internal/attestation/azure/trustedlaunch/validator.go index f5b4e0d5c..044847680 100644 --- a/internal/attestation/azure/trustedlaunch/validator.go +++ b/internal/attestation/azure/trustedlaunch/validator.go @@ -41,7 +41,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator { pcrs, v.verifyAttestationKey, validateVM, - vtpm.VerifyPKCS1v15, log, ) return v diff --git a/internal/attestation/gcp/validator.go b/internal/attestation/gcp/validator.go index 3223dcee1..d66f97ba4 100644 --- a/internal/attestation/gcp/validator.go +++ b/internal/attestation/gcp/validator.go @@ -41,7 +41,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator { pcrs, trustedKeyFromGCEAPI(newInstanceClient), gceNonHostInfoEvent, - vtpm.VerifyPKCS1v15, log, ), } diff --git a/internal/attestation/qemu/validator.go b/internal/attestation/qemu/validator.go index 1db26b2e5..3730e13c3 100644 --- a/internal/attestation/qemu/validator.go +++ b/internal/attestation/qemu/validator.go @@ -28,7 +28,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator { pcrs, unconditionalTrust, func(attestation vtpm.AttestationDocument) error { return nil }, - vtpm.VerifyPKCS1v15, log, ), } diff --git a/internal/attestation/vtpm/attestation.go b/internal/attestation/vtpm/attestation.go index 06ac94fe7..4bbd4763e 100644 --- a/internal/attestation/vtpm/attestation.go +++ b/internal/attestation/vtpm/attestation.go @@ -9,10 +9,8 @@ package vtpm import ( "bytes" "crypto" - "crypto/rsa" "crypto/sha256" "encoding/json" - "errors" "fmt" "io" @@ -64,8 +62,6 @@ type ( GetInstanceInfo func(tpm io.ReadWriteCloser) ([]byte, error) // ValidateCVM validates confidential computing capabilities of the instance issuing the attestation. ValidateCVM func(attestation AttestationDocument) error - // VerifyUserData verifies signed user data. - VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error ) // AttestationLogger is a logger used to print warnings and infos during attestation validation. @@ -138,27 +134,25 @@ func (i *Issuer) Issue(userData []byte, nonce []byte) ([]byte, error) { // Validator handles validation of TPM based attestation. type Validator struct { - expected measurements.M - getTrustedKey GetTPMTrustedAttestationPublicKey - validateCVM ValidateCVM - verifyUserData VerifyUserData + expected measurements.M + getTrustedKey GetTPMTrustedAttestationPublicKey + validateCVM ValidateCVM log AttestationLogger } // NewValidator returns a new Validator. func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey, - validateCVM ValidateCVM, verifyUserData VerifyUserData, log AttestationLogger, + validateCVM ValidateCVM, log AttestationLogger, ) *Validator { if log == nil { log = &nopAttestationLogger{} } return &Validator{ - expected: expected, - getTrustedKey: getTrustedKey, - validateCVM: validateCVM, - verifyUserData: verifyUserData, - log: log, + expected: expected, + getTrustedKey: getTrustedKey, + validateCVM: validateCVM, + log: log, } } @@ -236,15 +230,6 @@ func GetSHA256QuoteIndex(quotes []*tpmProto.Quote) (int, error) { return 0, fmt.Errorf("attestation did not include SHA256 hashed PCRs") } -// VerifyPKCS1v15 is a convenience function to call rsa.VerifyPKCS1v15. -func VerifyPKCS1v15(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error { - key, ok := pub.(*rsa.PublicKey) - if !ok { - return errors.New("key is not an RSA public key") - } - return rsa.VerifyPKCS1v15(key, hash, hashed, sig) -} - // GetSelectedMeasurements returns a map of Measurments for the PCRs in selection. func GetSelectedMeasurements(open TPMOpenFunc, selection tpm2.PCRSelection) (measurements.M, error) { tpm, err := open() diff --git a/internal/attestation/vtpm/attestation_test.go b/internal/attestation/vtpm/attestation_test.go index 781e06874..53718f033 100644 --- a/internal/attestation/vtpm/attestation_test.go +++ b/internal/attestation/vtpm/attestation_test.go @@ -76,7 +76,7 @@ func TestValidate(t *testing.T) { defer tpmCloser.Close() issuer := NewIssuer(tpmOpen, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo) - validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, nil) + validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, nil) nonce := []byte{1, 2, 3, 4} challenge := []byte("Constellation") @@ -136,7 +136,6 @@ func TestValidate(t *testing.T) { expectedPCRs, fakeGetTrustedKey, fakeValidateCVM, - VerifyPKCS1v15, warnLog, ) out, err = warningValidator.Validate(attDocRaw, nonce) @@ -151,18 +150,18 @@ func TestValidate(t *testing.T) { wantErr bool }{ "valid": { - validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), + validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog), attDoc: mustMarshalAttestation(attDoc, require), nonce: nonce, }, "invalid nonce": { - validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), + validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog), attDoc: mustMarshalAttestation(attDoc, require), nonce: []byte{4, 3, 2, 1}, wantErr: true, }, "invalid signature": { - validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), + validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog), attDoc: mustMarshalAttestation(AttestationDocument{ Attestation: attDoc.Attestation, InstanceInfo: attDoc.InstanceInfo, @@ -177,7 +176,7 @@ func TestValidate(t *testing.T) { func(akPub, instanceInfo []byte) (crypto.PublicKey, error) { return nil, errors.New("untrusted") }, - fakeValidateCVM, VerifyPKCS1v15, warnLog), + fakeValidateCVM, warnLog), attDoc: mustMarshalAttestation(attDoc, require), nonce: nonce, wantErr: true, @@ -189,7 +188,7 @@ func TestValidate(t *testing.T) { func(attestation AttestationDocument) error { return errors.New("untrusted") }, - VerifyPKCS1v15, warnLog), + warnLog), attDoc: mustMarshalAttestation(attDoc, require), nonce: nonce, wantErr: true, @@ -204,13 +203,13 @@ func TestValidate(t *testing.T) { }, fakeGetTrustedKey, fakeValidateCVM, - VerifyPKCS1v15, warnLog), + warnLog), attDoc: mustMarshalAttestation(attDoc, require), nonce: nonce, wantErr: true, }, "no sha256 quote": { - validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), + validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog), attDoc: mustMarshalAttestation(AttestationDocument{ Attestation: &attest.Attestation{ AkPub: attDoc.Attestation.AkPub, @@ -227,7 +226,7 @@ func TestValidate(t *testing.T) { wantErr: true, }, "invalid attestation document": { - validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), + validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog), attDoc: []byte("invalid attestation"), nonce: nonce, wantErr: true,