attestation: remove VerifyUserData

This commit is contained in:
Thomas Tendyck 2023-02-12 17:33:33 +01:00 committed by Thomas Tendyck
parent dd7d6334ba
commit 292f8eef21
7 changed files with 17 additions and 38 deletions

View File

@ -35,7 +35,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
pcrs,
getTrustedKey,
v.tpmEnabled,
vtpm.VerifyPKCS1v15,
log,
)
v.getDescribeClient = getEC2Client

View File

@ -49,7 +49,6 @@ func NewValidator(pcrs measurements.M, idKeyDigests idkeydigest.IDKeyDigests, en
pcrs,
getTrustedKey(&azureInstanceInfo{}, idKeyDigests, enforceIDKeyDigest, log),
validateCVM,
vtpm.VerifyPKCS1v15,
log,
),
}

View File

@ -41,7 +41,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
pcrs,
v.verifyAttestationKey,
validateVM,
vtpm.VerifyPKCS1v15,
log,
)
return v

View File

@ -41,7 +41,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
pcrs,
trustedKeyFromGCEAPI(newInstanceClient),
gceNonHostInfoEvent,
vtpm.VerifyPKCS1v15,
log,
),
}

View File

@ -28,7 +28,6 @@ func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator {
pcrs,
unconditionalTrust,
func(attestation vtpm.AttestationDocument) error { return nil },
vtpm.VerifyPKCS1v15,
log,
),
}

View File

@ -9,10 +9,8 @@ package vtpm
import (
"bytes"
"crypto"
"crypto/rsa"
"crypto/sha256"
"encoding/json"
"errors"
"fmt"
"io"
@ -64,8 +62,6 @@ type (
GetInstanceInfo func(tpm io.ReadWriteCloser) ([]byte, error)
// ValidateCVM validates confidential computing capabilities of the instance issuing the attestation.
ValidateCVM func(attestation AttestationDocument) error
// VerifyUserData verifies signed user data.
VerifyUserData func(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error
)
// AttestationLogger is a logger used to print warnings and infos during attestation validation.
@ -141,14 +137,13 @@ type Validator struct {
expected measurements.M
getTrustedKey GetTPMTrustedAttestationPublicKey
validateCVM ValidateCVM
verifyUserData VerifyUserData
log AttestationLogger
}
// NewValidator returns a new Validator.
func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestationPublicKey,
validateCVM ValidateCVM, verifyUserData VerifyUserData, log AttestationLogger,
validateCVM ValidateCVM, log AttestationLogger,
) *Validator {
if log == nil {
log = &nopAttestationLogger{}
@ -157,7 +152,6 @@ func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestatio
expected: expected,
getTrustedKey: getTrustedKey,
validateCVM: validateCVM,
verifyUserData: verifyUserData,
log: log,
}
}
@ -236,15 +230,6 @@ func GetSHA256QuoteIndex(quotes []*tpmProto.Quote) (int, error) {
return 0, fmt.Errorf("attestation did not include SHA256 hashed PCRs")
}
// VerifyPKCS1v15 is a convenience function to call rsa.VerifyPKCS1v15.
func VerifyPKCS1v15(pub crypto.PublicKey, hash crypto.Hash, hashed, sig []byte) error {
key, ok := pub.(*rsa.PublicKey)
if !ok {
return errors.New("key is not an RSA public key")
}
return rsa.VerifyPKCS1v15(key, hash, hashed, sig)
}
// GetSelectedMeasurements returns a map of Measurments for the PCRs in selection.
func GetSelectedMeasurements(open TPMOpenFunc, selection tpm2.PCRSelection) (measurements.M, error) {
tpm, err := open()

View File

@ -76,7 +76,7 @@ func TestValidate(t *testing.T) {
defer tpmCloser.Close()
issuer := NewIssuer(tpmOpen, tpmclient.AttestationKeyRSA, fakeGetInstanceInfo)
validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, nil)
validator := NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, nil)
nonce := []byte{1, 2, 3, 4}
challenge := []byte("Constellation")
@ -136,7 +136,6 @@ func TestValidate(t *testing.T) {
expectedPCRs,
fakeGetTrustedKey,
fakeValidateCVM,
VerifyPKCS1v15,
warnLog,
)
out, err = warningValidator.Validate(attDocRaw, nonce)
@ -151,18 +150,18 @@ func TestValidate(t *testing.T) {
wantErr bool
}{
"valid": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(attDoc, require),
nonce: nonce,
},
"invalid nonce": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(attDoc, require),
nonce: []byte{4, 3, 2, 1},
wantErr: true,
},
"invalid signature": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(AttestationDocument{
Attestation: attDoc.Attestation,
InstanceInfo: attDoc.InstanceInfo,
@ -177,7 +176,7 @@ func TestValidate(t *testing.T) {
func(akPub, instanceInfo []byte) (crypto.PublicKey, error) {
return nil, errors.New("untrusted")
},
fakeValidateCVM, VerifyPKCS1v15, warnLog),
fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(attDoc, require),
nonce: nonce,
wantErr: true,
@ -189,7 +188,7 @@ func TestValidate(t *testing.T) {
func(attestation AttestationDocument) error {
return errors.New("untrusted")
},
VerifyPKCS1v15, warnLog),
warnLog),
attDoc: mustMarshalAttestation(attDoc, require),
nonce: nonce,
wantErr: true,
@ -204,13 +203,13 @@ func TestValidate(t *testing.T) {
},
fakeGetTrustedKey,
fakeValidateCVM,
VerifyPKCS1v15, warnLog),
warnLog),
attDoc: mustMarshalAttestation(attDoc, require),
nonce: nonce,
wantErr: true,
},
"no sha256 quote": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: mustMarshalAttestation(AttestationDocument{
Attestation: &attest.Attestation{
AkPub: attDoc.Attestation.AkPub,
@ -227,7 +226,7 @@ func TestValidate(t *testing.T) {
wantErr: true,
},
"invalid attestation document": {
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, VerifyPKCS1v15, warnLog),
validator: NewValidator(testExpectedPCRs, fakeGetTrustedKey, fakeValidateCVM, warnLog),
attDoc: []byte("invalid attestation"),
nonce: nonce,
wantErr: true,