Move aTLS fakes into atls package

2024-10-01 01:36:09 -04:00 · 2022-06-15 15:58:23 +02:00 · 2022-06-15 15:58:23 +02:00 · b926cf9006
commit b926cf9006
parent 85ba2657e1
16 changed files with 161 additions and 177 deletions
--- a/coordinator/cmd/coordinator/main.go
+++ b/coordinator/cmd/coordinator/main.go
@ -22,6 +22,7 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/logging"
 	"github.com/edgelesssys/constellation/coordinator/util"
 	"github.com/edgelesssys/constellation/coordinator/wireguard"
+	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/attestation/azure"
 	"github.com/edgelesssys/constellation/internal/attestation/gcp"
 	"github.com/edgelesssys/constellation/internal/attestation/qemu"
@ -29,6 +30,7 @@ import (
 	"github.com/edgelesssys/constellation/internal/attestation/vtpm"
 	"github.com/edgelesssys/constellation/internal/file"
 	"github.com/edgelesssys/constellation/internal/grpc/dialer"
+	"github.com/edgelesssys/constellation/internal/oid"
 	grpc_zap "github.com/grpc-ecosystem/go-grpc-middleware/logging/zap"
 	"github.com/spf13/afero"
 	"go.uber.org/zap"
@ -181,8 +183,8 @@ func main() {
 		openTPM = vtpm.OpenVTPM
 		fs = afero.NewOsFs()
 	default:
-		issuer = core.NewMockIssuer()
-		validator = core.NewMockValidator()
+		issuer = atls.NewFakeIssuer(oid.Dummy{})
+		validator = atls.NewFakeValidator(oid.Dummy{})
 		kube = &core.ClusterFake{}
 		coreMetadata = &core.ProviderMetadataFake{}
 		cloudLogger = &logging.NopLogger{}
--- a/coordinator/coordinator_test.go
+++ b/coordinator/coordinator_test.go
@ -24,6 +24,7 @@ import (
 	"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
 	"github.com/edgelesssys/constellation/internal/grpc/dialer"
 	"github.com/edgelesssys/constellation/internal/grpc/testdialer"
+	"github.com/edgelesssys/constellation/internal/oid"
 	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
@ -221,12 +222,12 @@ func spawnPeer(require *require.Assertions, logger *zap.Logger, netDialer *testd
 	getPublicAddr := func() (string, error) {
 		return "192.0.2.1", nil
 	}
-	dialer := dialer.New(nil, &core.MockValidator{}, netDialer)
+	dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
 	vapiServer := &fakeVPNAPIServer{logger: logger.Named("vpnapi"), core: cor, dialer: netDialer}

 	papi := pubapi.New(logger, &logging.NopLogger{}, cor, dialer, vapiServer, getPublicAddr, nil)

-	creds := atlscredentials.New(&core.MockIssuer{}, nil)
+	creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)
 	server := grpc.NewServer(grpc.Creds(creds))
 	pubproto.RegisterAPIServer(server, papi)

@ -263,7 +264,7 @@ func activateCoordinator(require *require.Assertions, dialer netDialer, coordina
 }

 func dialGRPC(ctx context.Context, dialer netDialer, target string) (*grpc.ClientConn, error) {
-	creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
+	creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))

 	return grpc.DialContext(ctx, target,
 		grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
--- a/coordinator/core/attest.go
+++ b/coordinator/core/attest.go
@ -1,10 +1,6 @@
 package core

 import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-
 	"github.com/edgelesssys/constellation/internal/oid"
 )

@ -23,50 +19,3 @@ type QuoteIssuer interface {
 	// Issue issues a quote for remote attestation for a given message
 	Issue(userData []byte, nonce []byte) (quote []byte, err error)
 }
-
-type mockAttDoc struct {
-	UserData []byte
-	Nonce    []byte
-}
-
-func newMockAttDoc(userData []byte, nonce []byte) *mockAttDoc {
-	return &mockAttDoc{UserData: userData, Nonce: nonce}
-}
-
-type MockValidator struct {
-	oid.Dummy
-}
-
-// NewMockValidator returns a new MockValidator object.
-func NewMockValidator() *MockValidator {
-	return &MockValidator{}
-}
-
-// Validate implements the Validator interface.
-func (m *MockValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
-	var doc mockAttDoc
-
-	if err := json.Unmarshal(attDoc, &doc); err != nil {
-		return nil, err
-	}
-
-	if !bytes.Equal(doc.Nonce, nonce) {
-		return nil, fmt.Errorf("attDoc not valid: nonce not found")
-	}
-	return doc.UserData, nil
-}
-
-// MockIssuer is a mockup quote issuer.
-type MockIssuer struct {
-	oid.Dummy
-}
-
-// NewMockIssuer returns a new MockIssuer object.
-func NewMockIssuer() *MockIssuer {
-	return &MockIssuer{}
-}
-
-// Issue implements the Issuer interface.
-func (m *MockIssuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
-	return json.Marshal(newMockAttDoc(userData, nonce))
-}
--- a/coordinator/core/core.go
+++ b/coordinator/core/core.go
@ -129,7 +129,7 @@ func (c *Core) SwitchToPersistentStore() error {
 		return err
 	}
 	c.store = newStore
-	c.zaplogger.Info("transition to persistent store successful")
+	c.zaplogger.Info("Transition to persistent store successful")
 	return nil
 }

--- a/coordinator/core/core_test.go
+++ b/coordinator/core/core_test.go
@ -11,12 +11,14 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/role"
 	"github.com/edgelesssys/constellation/coordinator/state"
 	"github.com/edgelesssys/constellation/coordinator/store"
+	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/attestation/simulator"
 	"github.com/edgelesssys/constellation/internal/attestation/vtpm"
 	"github.com/edgelesssys/constellation/internal/deploy/user"
 	"github.com/edgelesssys/constellation/internal/file"
 	"github.com/edgelesssys/constellation/internal/grpc/dialer"
 	"github.com/edgelesssys/constellation/internal/grpc/testdialer"
+	"github.com/edgelesssys/constellation/internal/oid"
 	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
@ -220,7 +222,7 @@ func TestInitialize(t *testing.T) {
 			// prepare store to emulate initialized KMS
 			require.NoError(core.data().PutKMSData(kms.KMSInformation{StorageUri: kms.NoStoreURI, KmsUri: kms.ClusterKMSURI}))
 			require.NoError(core.data().PutMasterSecret([]byte("master-secret")))
-			dialer := dialer.New(nil, &MockValidator{}, testdialer.NewBufconnDialer())
+			dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), testdialer.NewBufconnDialer())

 			nodeActivated, err := core.Initialize(context.Background(), dialer, &stubPubAPI{})
 			if tc.wantErr {
--- a/coordinator/core/legacy_test.go
+++ b/coordinator/core/legacy_test.go
@ -15,11 +15,13 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/state"
 	"github.com/edgelesssys/constellation/coordinator/vpnapi"
 	"github.com/edgelesssys/constellation/coordinator/vpnapi/vpnproto"
+	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/attestation/simulator"
 	"github.com/edgelesssys/constellation/internal/deploy/user"
 	"github.com/edgelesssys/constellation/internal/file"
 	"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
 	"github.com/edgelesssys/constellation/internal/grpc/dialer"
+	"github.com/edgelesssys/constellation/internal/oid"
 	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
@ -120,7 +122,7 @@ func newMockCoreWithDialer(bufDialer *bufconnDialer) (*Core, *pubapi.API, error)
 		return nil, nil, err
 	}

-	dialer := dialer.New(nil, NewMockValidator(), bufDialer)
+	dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), bufDialer)
 	vpn := &stubVPN{}
 	kubeFake := &ClusterFake{}
 	metadataFake := &ProviderMetadataFake{}
@ -170,7 +172,7 @@ func (b *bufconnDialer) addListener(endpoint string, listener *bufconn.Listener)
 }

 func spawnNode(endpoint string, testNodeCore *pubapi.API, bufDialer *bufconnDialer) (*grpc.Server, error) {
-	creds := atlscredentials.New(&MockIssuer{}, nil)
+	creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)

 	grpcServer := grpc.NewServer(grpc.Creds(creds))
 	pubproto.RegisterAPIServer(grpcServer, testNodeCore)
--- a/coordinator/core/reinitialize_test.go
+++ b/coordinator/core/reinitialize_test.go
@ -9,11 +9,13 @@ import (
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
 	"github.com/edgelesssys/constellation/coordinator/role"
+	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/deploy/user"
 	"github.com/edgelesssys/constellation/internal/file"
 	"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
 	"github.com/edgelesssys/constellation/internal/grpc/dialer"
 	"github.com/edgelesssys/constellation/internal/grpc/testdialer"
+	"github.com/edgelesssys/constellation/internal/oid"
 	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
@ -73,7 +75,7 @@ func TestReinitializeAsNode(t *testing.T) {

 			coordinators := []cloudtypes.Instance{{PrivateIPs: []string{"192.0.2.1"}, Role: role.Coordinator}}
 			netDialer := testdialer.NewBufconnDialer()
-			dialer := dialer.New(nil, &MockValidator{}, netDialer)
+			dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
 			server := newPubAPIServer()
 			api := &pubAPIServerStub{responses: tc.getInitialVPNPeersResponses}
 			pubproto.RegisterAPIServer(server, api)
@ -146,7 +148,7 @@ func TestReinitializeAsCoordinator(t *testing.T) {

 			coordinators := []cloudtypes.Instance{{PrivateIPs: []string{"192.0.2.1"}, Role: role.Coordinator}}
 			netDialer := testdialer.NewBufconnDialer()
-			dialer := dialer.New(nil, &MockValidator{}, netDialer)
+			dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
 			server := newPubAPIServer()
 			api := &pubAPIServerStub{responses: tc.getInitialVPNPeersResponses}
 			pubproto.RegisterAPIServer(server, api)
@ -234,7 +236,7 @@ func TestGetInitialVPNPeers(t *testing.T) {
 			zapLogger, err := zap.NewDevelopment()
 			require.NoError(err)
 			netDialer := testdialer.NewBufconnDialer()
-			dialer := dialer.New(nil, &MockValidator{}, netDialer)
+			dialer := dialer.New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
 			server := newPubAPIServer()
 			api := &pubAPIServerStub{
 				responses: []struct {
@ -258,7 +260,7 @@ func TestGetInitialVPNPeers(t *testing.T) {
 }

 func newPubAPIServer() *grpc.Server {
-	creds := atlscredentials.New(&MockIssuer{}, nil)
+	creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)

 	return grpc.NewServer(grpc.Creds(creds))
 }
--- a/coordinator/pubapi/coord_test.go
+++ b/coordinator/pubapi/coord_test.go
@ -10,12 +10,12 @@ import (
 	"sync"
 	"testing"

-	"github.com/edgelesssys/constellation/coordinator/core"
 	"github.com/edgelesssys/constellation/coordinator/logging"
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
 	"github.com/edgelesssys/constellation/coordinator/role"
 	"github.com/edgelesssys/constellation/coordinator/state"
+	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/attestation/vtpm"
 	"github.com/edgelesssys/constellation/internal/deploy/ssh"
 	"github.com/edgelesssys/constellation/internal/deploy/user"
@ -524,7 +524,7 @@ func TestRequestStateDiskKey(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)

-			issuer := core.NewMockIssuer()
+			issuer := atls.NewFakeIssuer(oid.Dummy{})

 			stateDiskServer := &stubStateDiskServer{pushKeyErr: tc.pushKeyErr}

--- a/coordinator/pubapi/node_test.go
+++ b/coordinator/pubapi/node_test.go
@ -8,7 +8,6 @@ import (
 	"net"
 	"testing"

-	"github.com/edgelesssys/constellation/coordinator/core"
 	"github.com/edgelesssys/constellation/coordinator/logging"
 	"github.com/edgelesssys/constellation/coordinator/peer"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
@ -21,6 +20,7 @@ import (
 	"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
 	"github.com/edgelesssys/constellation/internal/grpc/dialer"
 	"github.com/edgelesssys/constellation/internal/grpc/testdialer"
+	"github.com/edgelesssys/constellation/internal/oid"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -163,7 +163,7 @@ func TestActivateAsNode(t *testing.T) {
 			go vserver.Serve(netDialer.GetListener(net.JoinHostPort("10.118.0.1", vpnAPIPort)))
 			defer vserver.GracefulStop()

-			creds := atlscredentials.New(&core.MockIssuer{}, nil)
+			creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)
 			pubserver := grpc.NewServer(grpc.Creds(creds))
 			pubproto.RegisterAPIServer(pubserver, api)
 			go pubserver.Serve(netDialer.GetListener(net.JoinHostPort(nodeIP, endpointAVPNPort)))
@ -432,7 +432,7 @@ func activateNode(require *require.Assertions, dialer netDialer, messageSequence
 }

 func dialGRPC(ctx context.Context, dialer netDialer, target string) (*grpc.ClientConn, error) {
-	creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
+	creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))

 	return grpc.DialContext(ctx, target,
 		grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
--- a/internal/atls/atls.go
+++ b/internal/atls/atls.go
@ -11,6 +11,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"math/big"
@ -333,3 +334,62 @@ func (c *serverConnection) getCertificate(chi *tls.ClientHelloInfo) (*tls.Certif
 	// create aTLS certificate using the nonce as extracted from the client-hello message
 	return getCertificate(c.issuer, c.privKey, &c.privKey.PublicKey, clientNonce)
 }
+
+// FakeIssuer fakes an issuer and can be used for tests.
+type FakeIssuer struct {
+	oid.Getter
+}
+
+// NewFakeIssuer creates a new FakeIssuer with the given OID.
+func NewFakeIssuer(oid oid.Getter) *FakeIssuer {
+	return &FakeIssuer{oid}
+}
+
+// Issue marshals the user data and returns it.
+func (FakeIssuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
+	return json.Marshal(FakeAttestationDoc{UserData: userData, Nonce: nonce})
+}
+
+// FakeValidator fakes a validator and can be used for tests.
+type FakeValidator struct {
+	oid.Getter
+	err error // used for package internal testing only
+}
+
+// NewFakeValidator creates a new FakeValidator with the given OID.
+func NewFakeValidator(oid oid.Getter) *FakeValidator {
+	return &FakeValidator{oid, nil}
+}
+
+// NewFakeValidators returns a slice with a single FakeValidator.
+func NewFakeValidators(oid oid.Getter) []Validator {
+	return []Validator{NewFakeValidator(oid)}
+}
+
+// Validate unmarshals the attestation document and verifies the nonce.
+func (v FakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
+	var doc FakeAttestationDoc
+	if err := json.Unmarshal(attDoc, &doc); err != nil {
+		return nil, err
+	}
+
+	if !bytes.Equal(doc.Nonce, nonce) {
+		return nil, fmt.Errorf("invalid nonce: expected %x, got %x", doc.Nonce, nonce)
+	}
+
+	return doc.UserData, v.err
+}
+
+// FakeAttestationDoc is a fake attestation document used for testing.
+type FakeAttestationDoc struct {
+	UserData []byte
+	Nonce    []byte
+}
+
+type fakeOID struct {
+	asn1.ObjectIdentifier
+}
+
+func (o fakeOID) OID() asn1.ObjectIdentifier {
+	return o.ObjectIdentifier
+}
--- a/internal/atls/atls_test.go
+++ b/internal/atls/atls_test.go
@ -1,16 +1,15 @@
 package atls

 import (
-	"bytes"
 	"context"
 	"encoding/asn1"
-	"encoding/json"
 	"errors"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"

+	"github.com/edgelesssys/constellation/internal/oid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
@ -21,8 +20,8 @@ func TestMain(m *testing.M) {
 }

 func TestTLSConfig(t *testing.T) {
-	oid1 := fakeOID{1, 3, 9900, 1}
-	oid2 := fakeOID{1, 3, 9900, 2}
+	oid1 := fakeOID{asn1.ObjectIdentifier{1, 3, 9900, 1}}
+	oid2 := fakeOID{asn1.ObjectIdentifier{1, 3, 9900, 2}}

 	testCases := map[string]struct {
 		clientIssuer     Issuer
@ -32,95 +31,95 @@ func TestTLSConfig(t *testing.T) {
 		wantErr          bool
 	}{
 		"client->server basic": {
-			serverIssuer:     fakeIssuer{fakeOID: oid1},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
+			serverIssuer:     NewFakeIssuer(oid1),
+			clientValidators: []Validator{NewFakeValidator(oid1)},
 		},
 		"client->server multiple validators": {
-			serverIssuer:     fakeIssuer{fakeOID: oid2},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
+			serverIssuer:     NewFakeIssuer(oid2),
+			clientValidators: []Validator{NewFakeValidator(oid1), NewFakeValidator(oid2)},
 		},
 		"client->server validate error": {
-			serverIssuer:     fakeIssuer{fakeOID: oid1},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
+			serverIssuer:     NewFakeIssuer(oid1),
+			clientValidators: []Validator{FakeValidator{oid1, errors.New("failed")}},
 			wantErr:          true,
 		},
 		"client->server unknown oid": {
-			serverIssuer:     fakeIssuer{fakeOID: oid1},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid2}},
+			serverIssuer:     NewFakeIssuer(oid1),
+			clientValidators: []Validator{NewFakeValidator(oid2)},
 			wantErr:          true,
 		},
 		"client->server client cert is not verified": {
-			serverIssuer:     fakeIssuer{fakeOID: oid1},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
+			serverIssuer:     NewFakeIssuer(oid1),
+			clientValidators: []Validator{NewFakeValidator(oid1)},
 		},
 		"server->client basic": {
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
-			clientIssuer:     fakeIssuer{fakeOID: oid1},
+			serverValidators: []Validator{NewFakeValidator(oid1)},
+			clientIssuer:     NewFakeIssuer(oid1),
 		},
 		"server->client multiple validators": {
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
-			clientIssuer:     fakeIssuer{fakeOID: oid2},
+			serverValidators: []Validator{NewFakeValidator(oid1), NewFakeValidator(oid2)},
+			clientIssuer:     NewFakeIssuer(oid2),
 		},
 		"server->client validate error": {
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
-			clientIssuer:     fakeIssuer{fakeOID: oid1},
+			serverValidators: []Validator{FakeValidator{oid1, errors.New("failed")}},
+			clientIssuer:     NewFakeIssuer(oid1),
 			wantErr:          true,
 		},
 		"server->client unknown oid": {
-			serverValidators: []Validator{fakeValidator{fakeOID: oid2}},
-			clientIssuer:     fakeIssuer{fakeOID: oid1},
+			serverValidators: []Validator{NewFakeValidator(oid2)},
+			clientIssuer:     NewFakeIssuer(oid1),
 			wantErr:          true,
 		},
 		"mutual basic": {
-			serverIssuer:     fakeIssuer{fakeOID: oid1},
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
-			clientIssuer:     fakeIssuer{fakeOID: oid1},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
+			serverIssuer:     NewFakeIssuer(oid1),
+			serverValidators: []Validator{NewFakeValidator(oid1)},
+			clientIssuer:     NewFakeIssuer(oid1),
+			clientValidators: []Validator{NewFakeValidator(oid1)},
 		},
 		"mutual multiple validators": {
-			serverIssuer:     fakeIssuer{fakeOID: oid2},
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
-			clientIssuer:     fakeIssuer{fakeOID: oid2},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}, fakeValidator{fakeOID: oid2}},
+			serverIssuer:     NewFakeIssuer(oid2),
+			serverValidators: []Validator{NewFakeValidator(oid1), NewFakeValidator(oid2)},
+			clientIssuer:     NewFakeIssuer(oid2),
+			clientValidators: []Validator{NewFakeValidator(oid1), NewFakeValidator(oid2)},
 		},
 		"mutual fails if client sends no attestation": {
-			serverIssuer:     fakeIssuer{fakeOID: oid1},
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
+			serverIssuer:     NewFakeIssuer(oid1),
+			serverValidators: []Validator{NewFakeValidator(oid1)},
+			clientValidators: []Validator{NewFakeValidator(oid1)},
 			wantErr:          true,
 		},
 		"mutual fails if server sends no attestation": {
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
-			clientIssuer:     fakeIssuer{fakeOID: oid1},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
+			serverValidators: []Validator{NewFakeValidator(oid1)},
+			clientIssuer:     NewFakeIssuer(oid1),
+			clientValidators: []Validator{NewFakeValidator(oid1)},
 			wantErr:          true,
 		},
 		"mutual validate error client side": {
-			serverIssuer:     fakeIssuer{fakeOID: oid1},
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
-			clientIssuer:     fakeIssuer{fakeOID: oid1},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
+			serverIssuer:     NewFakeIssuer(oid1),
+			serverValidators: []Validator{NewFakeValidator(oid1)},
+			clientIssuer:     NewFakeIssuer(oid1),
+			clientValidators: []Validator{FakeValidator{oid1, errors.New("failed")}},
 			wantErr:          true,
 		},
 		"mutual validate error server side": {
-			serverIssuer:     fakeIssuer{fakeOID: oid1},
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1, err: errors.New("failed")}},
-			clientIssuer:     fakeIssuer{fakeOID: oid1},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
+			serverIssuer:     NewFakeIssuer(oid1),
+			serverValidators: []Validator{FakeValidator{oid1, errors.New("failed")}},
+			clientIssuer:     NewFakeIssuer(oid1),
+			clientValidators: []Validator{NewFakeValidator(oid1)},
 			wantErr:          true,
 		},
 		"mutual unknown oid from client": {
-			serverIssuer:     fakeIssuer{fakeOID: oid1},
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
-			clientIssuer:     fakeIssuer{fakeOID: oid2},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
+			serverIssuer:     NewFakeIssuer(oid1),
+			serverValidators: []Validator{NewFakeValidator(oid1)},
+			clientIssuer:     NewFakeIssuer(oid2),
+			clientValidators: []Validator{NewFakeValidator(oid1)},
 			wantErr:          true,
 		},
 		"mutual unknown oid from server": {
-			serverIssuer:     fakeIssuer{fakeOID: oid2},
-			serverValidators: []Validator{fakeValidator{fakeOID: oid1}},
-			clientIssuer:     fakeIssuer{fakeOID: oid1},
-			clientValidators: []Validator{fakeValidator{fakeOID: oid1}},
+			serverIssuer:     NewFakeIssuer(oid2),
+			serverValidators: []Validator{NewFakeValidator(oid1)},
+			clientIssuer:     NewFakeIssuer(oid1),
+			clientValidators: []Validator{NewFakeValidator(oid1)},
 			wantErr:          true,
 		},
 	}
@ -186,10 +185,9 @@ func TestClientConnectionConcurrency(t *testing.T) {
 	const serverCount = 15

 	var urls []string
-	oid1 := fakeOID{1, 3, 9900, 1}

 	for i := 0; i < serverCount; i++ {
-		serverCfg, err := CreateAttestationServerTLSConfig(fakeIssuer{fakeOID: oid1}, []Validator{fakeValidator{fakeOID: oid1}})
+		serverCfg, err := CreateAttestationServerTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
 		require.NoError(err)

 		server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -207,7 +205,7 @@ func TestClientConnectionConcurrency(t *testing.T) {
 	// Create client.
 	//

-	clientConfig, err := CreateAttestationClientTLSConfig(fakeIssuer{fakeOID: oid1}, []Validator{fakeValidator{fakeOID: oid1}})
+	clientConfig, err := CreateAttestationClientTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
 	require.NoError(err)
 	client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}

@ -261,9 +259,8 @@ func TestServerConnectionConcurrency(t *testing.T) {
 	const serverCount = 10

 	var urls []string
-	oid1 := fakeOID{1, 3, 9900, 1}

-	serverCfg, err := CreateAttestationServerTLSConfig(fakeIssuer{fakeOID: oid1}, []Validator{fakeValidator{fakeOID: oid1}})
+	serverCfg, err := CreateAttestationServerTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
 	require.NoError(err)

 	for i := 0; i < serverCount; i++ {
@ -282,7 +279,7 @@ func TestServerConnectionConcurrency(t *testing.T) {
 	// Create client.
 	//

-	clientConfig, err := CreateAttestationClientTLSConfig(fakeIssuer{fakeOID: oid1}, []Validator{fakeValidator{fakeOID: oid1}})
+	clientConfig, err := CreateAttestationClientTLSConfig(NewFakeIssuer(oid.Dummy{}), NewFakeValidators(oid.Dummy{}))
 	require.NoError(err)
 	client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}

@ -321,38 +318,3 @@ func TestServerConnectionConcurrency(t *testing.T) {
 		assert.NoError(<-errChan)
 	}
 }
-
-type fakeIssuer struct {
-	fakeOID
-}
-
-func (fakeIssuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
-	return json.Marshal(fakeDoc{UserData: userData, Nonce: nonce})
-}
-
-type fakeValidator struct {
-	fakeOID
-	err error
-}
-
-func (v fakeValidator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
-	var doc fakeDoc
-	if err := json.Unmarshal(attDoc, &doc); err != nil {
-		return nil, err
-	}
-	if !bytes.Equal(doc.Nonce, nonce) {
-		return nil, errors.New("invalid nonce")
-	}
-	return doc.UserData, v.err
-}
-
-type fakeOID asn1.ObjectIdentifier
-
-func (o fakeOID) OID() asn1.ObjectIdentifier {
-	return asn1.ObjectIdentifier(o)
-}
-
-type fakeDoc struct {
-	UserData []byte
-	Nonce    []byte
-}
--- a/internal/grpc/dialer/dialer_test.go
+++ b/internal/grpc/dialer/dialer_test.go
@ -4,9 +4,10 @@ import (
 	"context"
 	"testing"

-	"github.com/edgelesssys/constellation/coordinator/core"
+	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
 	"github.com/edgelesssys/constellation/internal/grpc/testdialer"
+	"github.com/edgelesssys/constellation/internal/oid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@ -63,8 +64,8 @@ func TestDial(t *testing.T) {
 			require := require.New(t)

 			netDialer := testdialer.NewBufconnDialer()
-			dialer := New(nil, &core.MockValidator{}, netDialer)
-			server := newServer(tc.tls)
+			dialer := New(nil, atls.NewFakeValidator(oid.Dummy{}), netDialer)
+			server := newServer(oid.Dummy{}, tc.tls)
 			api := &testAPI{}
 			grpc_testing.RegisterTestServiceServer(server, api)
 			go server.Serve(netDialer.GetListener("192.0.2.1:1234"))
@ -85,9 +86,9 @@ func TestDial(t *testing.T) {
 	}
 }

-func newServer(tls bool) *grpc.Server {
+func newServer(oid oid.Getter, tls bool) *grpc.Server {
 	if tls {
-		creds := atlscredentials.New(&core.MockIssuer{}, nil)
+		creds := atlscredentials.New(atls.NewFakeIssuer(oid), nil)
 		return grpc.NewServer(grpc.Creds(creds))
 	}
 	return grpc.NewServer()
--- a/internal/statuswaiter/statuswaiter_test.go
+++ b/internal/statuswaiter/statuswaiter_test.go
@ -6,10 +6,10 @@ import (
 	"testing"
 	"time"

-	"github.com/edgelesssys/constellation/coordinator/core"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
 	"github.com/edgelesssys/constellation/coordinator/state"
 	"github.com/edgelesssys/constellation/internal/atls"
+	"github.com/edgelesssys/constellation/internal/oid"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc"
 )
@ -29,7 +29,7 @@ func TestInitializeValidators(t *testing.T) {
 	assert.Error(waiter.InitializeValidators(nil))

 	// Initialized waiter succeeds
-	assert.NoError(waiter.InitializeValidators([]atls.Validator{core.NewMockValidator()}))
+	assert.NoError(waiter.InitializeValidators(atls.NewFakeValidators(oid.Dummy{})))
 	assert.NoError(waiter.WaitFor(context.Background(), "someIP", state.IsNode))
 }

--- a/state/keyservice/keyservice_test.go
+++ b/state/keyservice/keyservice_test.go
@ -8,10 +8,11 @@ import (
 	"time"

 	"github.com/edgelesssys/constellation/coordinator/cloudprovider/cloudtypes"
-	"github.com/edgelesssys/constellation/coordinator/core"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
 	"github.com/edgelesssys/constellation/coordinator/role"
+	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
+	"github.com/edgelesssys/constellation/internal/oid"
 	"github.com/edgelesssys/constellation/state/keyservice/keyproto"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -75,7 +76,7 @@ func TestRequestKeyLoop(t *testing.T) {
 			listener := bufconn.Listen(1)
 			defer listener.Close()

-			creds := atlscredentials.New(core.NewMockIssuer(), nil)
+			creds := atlscredentials.New(atls.NewFakeIssuer(oid.Dummy{}), nil)
 			s := grpc.NewServer(grpc.Creds(creds))
 			pubproto.RegisterAPIServer(s, tc.server)

--- a/state/test/integration_test.go
+++ b/state/test/integration_test.go
@ -12,7 +12,9 @@ import (
 	"time"

 	"github.com/edgelesssys/constellation/coordinator/core"
+	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
+	"github.com/edgelesssys/constellation/internal/oid"
 	"github.com/edgelesssys/constellation/state/keyservice"
 	"github.com/edgelesssys/constellation/state/keyservice/keyproto"
 	"github.com/edgelesssys/constellation/state/mapper"
@ -83,7 +85,7 @@ func TestKeyAPI(t *testing.T) {
 	apiAddr := listener.Addr().String()
 	listener.Close()

-	api := keyservice.New(core.NewMockIssuer(), &core.ProviderMetadataFake{}, 20*time.Second)
+	api := keyservice.New(atls.NewFakeIssuer(oid.Dummy{}), &core.ProviderMetadataFake{}, 20*time.Second)

 	// send a key to the server
 	go func() {
--- a/test/coordinator_integration_test.go
+++ b/test/coordinator_integration_test.go
@ -20,13 +20,13 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/go-connections/nat"
-	"github.com/edgelesssys/constellation/coordinator/core"
 	"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
 	"github.com/edgelesssys/constellation/coordinator/role"
 	"github.com/edgelesssys/constellation/coordinator/store"
 	"github.com/edgelesssys/constellation/coordinator/storewrapper"
 	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
+	"github.com/edgelesssys/constellation/internal/oid"
 	kms "github.com/edgelesssys/constellation/kms/server/setup"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -249,7 +249,7 @@ func TestMain(t *testing.T) {

 // helper methods
 func startCoordinator(ctx context.Context, coordinatorAddr string, ips []string) error {
-	creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
+	creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))

 	conn, err := grpc.DialContext(ctx, net.JoinHostPort(coordinatorAddr, publicgRPCPort), grpc.WithTransportCredentials(creds))
 	if err != nil {
@ -296,7 +296,7 @@ func createTempDir() error {
 }

 func addNewCoordinatorToCoordinator(ctx context.Context, newCoordinatorAddr, oldCoordinatorAddr string) error {
-	creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
+	creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))

 	conn, err := grpc.DialContext(ctx, net.JoinHostPort(oldCoordinatorAddr, publicgRPCPort), grpc.WithTransportCredentials(creds))
 	if err != nil {
@ -316,7 +316,7 @@ func addNewCoordinatorToCoordinator(ctx context.Context, newCoordinatorAddr, old
 }

 func addNewNodesToCoordinator(ctx context.Context, coordinatorAddr string, ips []string) error {
-	creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
+	creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))

 	conn, err := grpc.DialContext(ctx, net.JoinHostPort(coordinatorAddr, publicgRPCPort), grpc.WithTransportCredentials(creds))
 	if err != nil {
@ -536,7 +536,7 @@ func awaitPeerResponse(ctx context.Context, ip string, credentials credentials.T
 }

 func blockUntilUp(ctx context.Context, peerIPs []string) error {
-	creds := atlscredentials.New(nil, []atls.Validator{&core.MockValidator{}})
+	creds := atlscredentials.New(nil, atls.NewFakeValidators(oid.Dummy{}))
 	for _, ip := range peerIPs {
 		// Block, so the connection gets established/fails immediately
 		if err := awaitPeerResponse(ctx, ip, creds); err != nil {