snp: use correct cert

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2025-04-22 08:09:13 -04:00 · 2024-04-15 12:03:38 +02:00 · 2024-04-15 12:03:38 +02:00 · 694c8b124f
commit 694c8b124f
parent 282216d0c1
3 changed files with 10 additions and 10 deletions
--- a/internal/attestation/gcp/snp/issuer.go
+++ b/internal/attestation/gcp/snp/issuer.go
@ -62,8 +62,8 @@ func getInstanceInfo(_ context.Context, _ io.ReadWriteCloser, extraData []byte)
 	if len(extraData) > 64 {
 		return nil, fmt.Errorf("extra data too long: %d, should be 64 bytes at most", len(extraData))
 	}
-	extraData64 := make([]byte, 64)
-	copy(extraData64, extraData)
+	var extraData64 [64]byte
+	copy(extraData64[:], extraData)

 	device, err := sevclient.OpenDevice()
 	if err != nil {
--- a/internal/attestation/gcp/snp/validator.go
+++ b/internal/attestation/gcp/snp/validator.go
@ -68,21 +68,21 @@ func NewValidator(cfg *config.GCPSEVSNP, log attestation.Logger) (*Validator, er

 // getTrustedKey returns TPM endorsement key provided through the GCE metadata API.
 func (v *Validator) getTrustedKey(ctx context.Context, attDoc vtpm.AttestationDocument, extraData []byte) (crypto.PublicKey, error) {
-	ekPub, err := v.gceKeyGetter(ctx, attDoc, nil)
-	if err != nil {
-		return nil, fmt.Errorf("getting TPM endorsement key: %w", err)
-	}
-
 	if len(extraData) > 64 {
 		return nil, fmt.Errorf("extra data too long: %d, should be 64 bytes at most", len(extraData))
 	}
-	extraData64 := make([]byte, 64)
-	copy(extraData64, extraData)
+	var extraData64 [64]byte
+	copy(extraData64[:], extraData)

 	if err := v.reportValidator.validate(attDoc, (*x509.Certificate)(&v.cfg.AMDSigningKey), (*x509.Certificate)(&v.cfg.AMDRootKey), [64]byte(extraData64), v.cfg, v.log); err != nil {
 		return nil, fmt.Errorf("validating SNP report: %w", err)
 	}

+	ekPub, err := v.gceKeyGetter(ctx, attDoc, nil)
+	if err != nil {
+		return nil, fmt.Errorf("getting TPM endorsement key: %w", err)
+	}
+
 	return ekPub, nil
 }

--- a/internal/attestation/snp/snp.go
+++ b/internal/attestation/snp/snp.go
@ -137,7 +137,7 @@ func (a *InstanceInfo) AttestationWithCerts(getter trust.HTTPSGetter,
 		logger.Info("Using cached ASK certificate")
 		att.CertificateChain.AskCert = fallbackCerts.ask.Raw
 	}
-	if att.CertificateChain.ArkCert == nil && fallbackCerts.ark != nil {
+	if fallbackCerts.ark != nil {
 		logger.Info("Using cached ARK certificate")
 		att.CertificateChain.ArkCert = fallbackCerts.ark.Raw
 	}