mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-09-28 14:59:32 -04:00
attestation: add context to Issue and Validate methods (#1532)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
GitHub
parent
7c27d67953
commit
db5660e3d6
10 changed files with 43 additions and 34 deletions
|
|
@ -107,7 +107,7 @@ func NewIssuer(
|
|||
}
|
||||
|
||||
// Issue generates an attestation document using a TPM.
|
||||
func (i *Issuer) Issue(userData []byte, nonce []byte) (res []byte, err error) {
|
||||
func (i *Issuer) Issue(ctx context.Context, userData []byte, nonce []byte) (res []byte, err error) {
|
||||
i.log.Infof("Issuing attestation statement")
|
||||
defer func() {
|
||||
if err != nil {
|
||||
|
|
@ -136,7 +136,7 @@ func (i *Issuer) Issue(userData []byte, nonce []byte) (res []byte, err error) {
|
|||
}
|
||||
|
||||
// Fetch instance info of the VM
|
||||
instanceInfo, err := i.getInstanceInfo(context.TODO(), tpm, extraData) // TODO(daniel-weisse): update Issue/Validate to use context
|
||||
instanceInfo, err := i.getInstanceInfo(ctx, tpm, extraData)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("fetching instance info: %w", err)
|
||||
}
|
||||
|
|
@ -181,7 +181,7 @@ func NewValidator(expected measurements.M, getTrustedKey GetTPMTrustedAttestatio
|
|||
}
|
||||
|
||||
// Validate a TPM based attestation.
|
||||
func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, err error) {
|
||||
func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte) (userData []byte, err error) {
|
||||
v.log.Infof("Validating attestation document")
|
||||
defer func() {
|
||||
if err != nil {
|
||||
|
|
@ -197,7 +197,7 @@ func (v *Validator) Validate(attDocRaw []byte, nonce []byte) (userData []byte, e
|
|||
extraData := makeExtraData(attDoc.UserData, nonce)
|
||||
|
||||
// Verify and retrieve the trusted attestation public key using the provided instance info
|
||||
aKP, err := v.getTrustedKey(context.TODO(), attDoc, extraData)
|
||||
aKP, err := v.getTrustedKey(ctx, attDoc, extraData)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("validating attestation public key: %w", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -84,7 +84,9 @@ func TestValidate(t *testing.T) {
|
|||
nonce := []byte{1, 2, 3, 4}
|
||||
challenge := []byte("Constellation")
|
||||
|
||||
attDocRaw, err := issuer.Issue(challenge, nonce)
|
||||
ctx := context.Background()
|
||||
|
||||
attDocRaw, err := issuer.Issue(ctx, challenge, nonce)
|
||||
require.NoError(err)
|
||||
|
||||
var attDoc AttestationDocument
|
||||
|
|
@ -93,26 +95,26 @@ func TestValidate(t *testing.T) {
|
|||
require.Equal(challenge, attDoc.UserData)
|
||||
|
||||
// valid test
|
||||
out, err := validator.Validate(attDocRaw, nonce)
|
||||
out, err := validator.Validate(ctx, attDocRaw, nonce)
|
||||
require.NoError(err)
|
||||
require.Equal(challenge, out)
|
||||
|
||||
// validation must fail after bootstrapping (change of enforced PCR)
|
||||
require.NoError(MarkNodeAsBootstrapped(tpmOpen, []byte{2}))
|
||||
attDocBootstrappedRaw, err := issuer.Issue(challenge, nonce)
|
||||
attDocBootstrappedRaw, err := issuer.Issue(ctx, challenge, nonce)
|
||||
require.NoError(err)
|
||||
_, err = validator.Validate(attDocBootstrappedRaw, nonce)
|
||||
_, err = validator.Validate(ctx, attDocBootstrappedRaw, nonce)
|
||||
require.Error(err)
|
||||
|
||||
// userData must be bound to PCR state
|
||||
attDocBootstrappedRaw, err = issuer.Issue([]byte{2, 3}, nonce)
|
||||
attDocBootstrappedRaw, err = issuer.Issue(ctx, []byte{2, 3}, nonce)
|
||||
require.NoError(err)
|
||||
var attDocBootstrapped AttestationDocument
|
||||
require.NoError(json.Unmarshal(attDocBootstrappedRaw, &attDocBootstrapped))
|
||||
attDocBootstrapped.Attestation = attDoc.Attestation
|
||||
attDocBootstrappedRaw, err = json.Marshal(attDocBootstrapped)
|
||||
require.NoError(err)
|
||||
_, err = validator.Validate(attDocBootstrappedRaw, nonce)
|
||||
_, err = validator.Validate(ctx, attDocBootstrappedRaw, nonce)
|
||||
require.Error(err)
|
||||
|
||||
expectedPCRs := measurements.M{
|
||||
|
|
@ -141,7 +143,7 @@ func TestValidate(t *testing.T) {
|
|||
fakeValidateCVM,
|
||||
warnLog,
|
||||
)
|
||||
out, err = warningValidator.Validate(attDocRaw, nonce)
|
||||
out, err = warningValidator.Validate(ctx, attDocRaw, nonce)
|
||||
require.NoError(err)
|
||||
assert.Equal(t, challenge, out)
|
||||
assert.Len(t, warnLog.warnings, 4)
|
||||
|
|
@ -240,7 +242,7 @@ func TestValidate(t *testing.T) {
|
|||
t.Run(name, func(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
|
||||
_, err = tc.validator.Validate(tc.attDoc, tc.nonce)
|
||||
_, err = tc.validator.Validate(ctx, tc.attDoc, tc.nonce)
|
||||
if tc.wantErr {
|
||||
assert.Error(err)
|
||||
} else {
|
||||
|
|
@ -316,7 +318,7 @@ func TestFailIssuer(t *testing.T) {
|
|||
|
||||
tc.issuer.log = logger.NewTest(t)
|
||||
|
||||
_, err := tc.issuer.Issue(tc.userData, tc.nonce)
|
||||
_, err := tc.issuer.Issue(context.Background(), tc.userData, tc.nonce)
|
||||
assert.Error(err)
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue