From e49b76ffffc131714e88fdf87aa83953b665eecf Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Fri, 2 Feb 2024 15:47:11 +0100
Subject: [PATCH] atls: report cert extension OIDs on mismatch

If the certificate contains an attestation document for SEV-SNP, but the
given validator is for Nitro, verifyEmbeddedReport should not claim that
there is no attestation document, but that there is no _compatible_ one
and what the incompatible ones were.
---
 internal/atls/atls.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/atls/atls.go b/internal/atls/atls.go
index 06fc38cb0..14f5c1f76 100644
--- a/internal/atls/atls.go
+++ b/internal/atls/atls.go
@@ -200,6 +200,7 @@ func processCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) (*x509.Certi
 
 // verifyEmbeddedReport verifies an aTLS certificate by validating the attestation document embedded in the TLS certificate.
 func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash, nonce []byte) error {
+	var exts []string
 	for _, ex := range cert.Extensions {
 		for _, validator := range validators {
 			if ex.Id.Equal(validator.OID()) {
@@ -216,9 +217,10 @@ func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash,
 				return nil
 			}
 		}
+		exts = append(exts, ex.Id.String())
 	}
 
-	return errors.New("certificate does not contain attestation document")
+	return fmt.Errorf("certificate does not contain compatible attestation documents: got extension OIDs %#v", exts)
 }
 
 func hashPublicKey(pub any) ([]byte, error) {