Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-04-22 16:19:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

atls: report cert extension OIDs on mismatch

Browse Source 
If the certificate contains an attestation document for SEV-SNP, but the
given validator is for Nitro, verifyEmbeddedReport should not claim that
there is no attestation document, but that there is no _compatible_ one
and what the incompatible ones were.
This commit is contained in:
Markus Rudy 2024-02-02 15:47:11 +01:00
parent 9f9f18c764
commit e49b76ffff
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/atls/atls.go
View File

@ -200,6 +200,7 @@ func processCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) (*x509.Certi
// verifyEmbeddedReport verifies an aTLS certificate by validating the attestation document embedded in the TLS certificate.
func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash, nonce []byte) error {
var exts []string
for _, ex := range cert.Extensions {
for _, validator := range validators {
if ex.Id.Equal(validator.OID()) {
@ -216,9 +217,10 @@ func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash,
return nil
}
}
exts = append(exts, ex.Id.String())
}
return errors.New("certificate does not contain attestation document")
return fmt.Errorf("certificate does not contain compatible attestation documents: got extension OIDs %#v", exts)
}
func hashPublicKey(pub any) ([]byte, error) {