Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-12 16:09:39 -05:00
Code Issues Packages Projects Releases Wiki Activity

attestation: remove VerifyUserData

Browse Source
This commit is contained in:
Thomas Tendyck 2023-02-12 17:33:33 +01:00 committed by Thomas Tendyck
parent dd7d6334ba
commit 292f8eef21
7 changed files with 17 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
internal/attestation/aws/validator.go
View File

@ -35,7 +35,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
pcrs, pcrs,
getTrustedKey, getTrustedKey,
v.tpmEnabled, v.tpmEnabled,
vtpm.VerifyPKCS1v15,
log, log,
) )
v.getDescribeClient = getEC2Client v.getDescribeClient = getEC2Client

1
internal/attestation/azure/snp/validator.go
View File

@ -49,7 +49,6 @@ func NewValidator(pcrs measurements.M, idKeyDigests idkeydigest.IDKeyDigests, en
pcrs, pcrs,
getTrustedKey(&azureInstanceInfo{}, idKeyDigests, enforceIDKeyDigest, log), getTrustedKey(&azureInstanceInfo{}, idKeyDigests, enforceIDKeyDigest, log),
validateCVM, validateCVM,
vtpm.VerifyPKCS1v15,
log, log,
), ),
} }

1
internal/attestation/azure/trustedlaunch/validator.go
View File

@ -41,7 +41,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
pcrs, pcrs,
v.verifyAttestationKey, v.verifyAttestationKey,
validateVM, validateVM,
vtpm.VerifyPKCS1v15,
log, log,
) )
return v return v

1
internal/attestation/gcp/validator.go
View File

@ -41,7 +41,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
pcrs, pcrs,
trustedKeyFromGCEAPI(newInstanceClient), trustedKeyFromGCEAPI(newInstanceClient),
gceNonHostInfoEvent, gceNonHostInfoEvent,
vtpm.VerifyPKCS1v15,
log, log,
), ),
} }

1
internal/attestation/qemu/validator.go
View File

@ -28,7 +28,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
pcrs, pcrs,
unconditionalTrust, unconditionalTrust,
func(attestation vtpm.AttestationDocument) error { return nil }, func(attestation vtpm.AttestationDocument) error { return nil },
vtpm.VerifyPKCS1v15,
log, log,
), ),
} }

17
internal/attestation/vtpm/attestation.go
View File

@ -9,10 +9,8 @@ package vtpm
import ( import (
"bytes" "bytes"
"crypto" "crypto"
"crypto/rsa"
"crypto/sha256" "crypto/sha256"
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"io" "io"
@ -64,8 +62,6 @@ type (
GetInstanceInfo func(tpm io.ReadWriteCloser) ([]byte, error) GetInstanceInfo func(tpm io.ReadWriteCloser) ([]byte, error)
// ValidateCVM validates confidential computing capabilities of the instance issuing the attestation. // ValidateCVM validates confidential computing capabilities of the instance issuing the attestation.
ValidateCVM func(attestation AttestationDocument) error ValidateCVM func(attestation AttestationDocument) error
// VerifyUserData verifies signed user data.
VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error
) )
// AttestationLogger is a logger used to print warnings and infos during attestation validation. // AttestationLogger is a logger used to print warnings and infos during attestation validation.
@ -141,14 +137,13 @@ type Validator struct {
expected measurements.M expected measurements.M
getTrustedKey GetTPMTrustedAttestationPublicKey getTrustedKey GetTPMTrustedAttestationPublicKey
validateCVM ValidateCVM validateCVM ValidateCVM
verifyUserData VerifyUserData
log AttestationLogger log AttestationLogger
} }
// NewValidator returns a new Validator. // NewValidator returns a new Validator.
func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey, func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey,
validateCVM ValidateCVM, verifyUserData VerifyUserData, log AttestationLogger, validateCVM ValidateCVM, log AttestationLogger,
) *Validator { ) *Validator {
if log == nil { if log == nil {
log = &nopAttestationLogger{} log = &nopAttestationLogger{}
@ -157,7 +152,6 @@ func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestatio
expected: expected, expected: expected,
getTrustedKey: getTrustedKey, getTrustedKey: getTrustedKey,
validateCVM: validateCVM, validateCVM: validateCVM,
verifyUserData: verifyUserData,
log: log, log: log,
} }
} }
@ -236,15 +230,6 @@ func GetSHA256QuoteIndex(quotes []*tpmProto.Quote) (int, error) {
return 0, fmt.Errorf("attestation did not include SHA256 hashed PCRs") return 0, fmt.Errorf("attestation did not include SHA256 hashed PCRs")
} }
// VerifyPKCS1v15 is a convenience function to call rsa.VerifyPKCS1v15.
func VerifyPKCS1v15(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error {
key, ok := pub.(*rsa.PublicKey)
if !ok {
return errors.New("key is not an RSA public key")
}
return rsa.VerifyPKCS1v15(key, hash, hashed, sig)
}
// GetSelectedMeasurements returns a map of Measurments for the PCRs in selection. // GetSelectedMeasurements returns a map of Measurments for the PCRs in selection.
func GetSelectedMeasurements(open TPMOpenFunc, selection tpm2.PCRSelection) (measurements.M, error) { func GetSelectedMeasurements(open TPMOpenFunc, selection tpm2.PCRSelection) (measurements.M, error) {
tpm, err := open() tpm, err := open()

19
internal/attestation/vtpm/attestation_test.go
View File

@ -76,7 +76,7 @@ func TestValidate(t *testing.T) {
defer tpmCloser.Close() defer tpmCloser.Close()
issuer := NewIssuer(tpmOpen, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo) issuer := NewIssuer(tpmOpen, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, nil) validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, nil)
nonce := []byte{1, 2, 3, 4} nonce := []byte{1, 2, 3, 4}
challenge := []byte("Constellation") challenge := []byte("Constellation")
@ -136,7 +136,6 @@ func TestValidate(t *testing.T) {
expectedPCRs, expectedPCRs,
fakeGetTrustedKey, fakeGetTrustedKey,
fakeValidateCVM, fakeValidateCVM,
VerifyPKCS1v15,
warnLog, warnLog,
) )
out, err = warningValidator.Validate(attDocRaw, nonce) out, err = warningValidator.Validate(attDocRaw, nonce)
@ -151,18 +150,18 @@ func TestValidate(t *testing.T) {
wantErr bool wantErr bool
}{ }{
"valid": { "valid": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(attDoc, require), attDoc: mustMarshalAttestation(attDoc, require),
nonce: nonce, nonce: nonce,
}, },
"invalid nonce": { "invalid nonce": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(attDoc, require), attDoc: mustMarshalAttestation(attDoc, require),
nonce: []byte{4, 3, 2, 1}, nonce: []byte{4, 3, 2, 1},
wantErr: true, wantErr: true,
}, },
"invalid signature": { "invalid signature": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(AttestationDocument{ attDoc: mustMarshalAttestation(AttestationDocument{
Attestation: attDoc.Attestation, Attestation: attDoc.Attestation,
InstanceInfo: attDoc.InstanceInfo, InstanceInfo: attDoc.InstanceInfo,
@ -177,7 +176,7 @@ func TestValidate(t *testing.T) {
func(akPub, instanceInfo []byte) (crypto.PublicKey, error) { func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
return nil, errors.New("untrusted") return nil, errors.New("untrusted")
}, },
fakeValidateCVM, VerifyPKCS1v15, warnLog), fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(attDoc, require), attDoc: mustMarshalAttestation(attDoc, require),
nonce: nonce, nonce: nonce,
wantErr: true, wantErr: true,
@ -189,7 +188,7 @@ func TestValidate(t *testing.T) {
func(attestation AttestationDocument) error { func(attestation AttestationDocument) error {
return errors.New("untrusted") return errors.New("untrusted")
}, },
VerifyPKCS1v15, warnLog), warnLog),
attDoc: mustMarshalAttestation(attDoc, require), attDoc: mustMarshalAttestation(attDoc, require),
nonce: nonce, nonce: nonce,
wantErr: true, wantErr: true,
@ -204,13 +203,13 @@ func TestValidate(t *testing.T) {
}, },
fakeGetTrustedKey, fakeGetTrustedKey,
fakeValidateCVM, fakeValidateCVM,
VerifyPKCS1v15, warnLog), warnLog),
attDoc: mustMarshalAttestation(attDoc, require), attDoc: mustMarshalAttestation(attDoc, require),
nonce: nonce, nonce: nonce,
wantErr: true, wantErr: true,
}, },
"no sha256 quote": { "no sha256 quote": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(AttestationDocument{ attDoc: mustMarshalAttestation(AttestationDocument{
Attestation: &attest.Attestation{ Attestation: &attest.Attestation{
AkPub: attDoc.Attestation.AkPub, AkPub: attDoc.Attestation.AkPub,
@ -227,7 +226,7 @@ func TestValidate(t *testing.T) {
wantErr: true, wantErr: true,
}, },
"invalid attestation document": { "invalid attestation document": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog), validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: []byte("invalid attestation"), attDoc: []byte("invalid attestation"),
nonce: nonce, nonce: nonce,
wantErr: true, wantErr: true,