diff --git a/internal/attestation/gcp/snp/BUILD.bazel b/internal/attestation/gcp/snp/BUILD.bazel index cd7bf70fc13..1193a7e0366 100644 --- a/internal/attestation/gcp/snp/BUILD.bazel +++ b/internal/attestation/gcp/snp/BUILD.bazel @@ -32,10 +32,7 @@ go_library( go_test( name = "snp_test", - srcs = [ - "issuer_test.go", - "validator_test.go", - ], + srcs = ["validator_test.go"], embed = [":snp"], # keep gotags = select({ @@ -44,16 +41,10 @@ go_test( }), deps = [ "//internal/attestation", - "//internal/attestation/aws/snp/testdata", - "//internal/attestation/simulator", - "//internal/attestation/snp", "//internal/attestation/vtpm", "//internal/config", - "//internal/logger", - "@com_github_google_go_sev_guest//abi", "@com_github_google_go_sev_guest//proto/sevsnp", "@com_github_google_go_sev_guest//verify", - "@com_github_google_go_tpm_tools//client", "@com_github_google_go_tpm_tools//proto/attest", "@com_github_stretchr_testify//assert", "@com_github_stretchr_testify//require", diff --git a/internal/attestation/gcp/snp/issuer_test.go b/internal/attestation/gcp/snp/issuer_test.go deleted file mode 100644 index 3f2f2469902..00000000000 --- a/internal/attestation/gcp/snp/issuer_test.go +++ /dev/null @@ -1,44 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: AGPL-3.0-only -*/ - -package snp - -import ( - "os" - "testing" - - "github.com/edgelesssys/constellation/v2/internal/attestation/simulator" - tpmclient "github.com/google/go-tpm-tools/client" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func TestGetAttestationKey(t *testing.T) { - cgo := os.Getenv("CGO_ENABLED") - if cgo == "0" { - t.Skip("skipping test because CGO is disabled and tpm simulator requires it") - } - - require := require.New(t) - assert := assert.New(t) - - tpm, err := simulator.OpenSimulatedTPM() - require.NoError(err) - defer tpm.Close() - - // create the attestation key in RSA format - tpmAk, err := tpmclient.AttestationKeyRSA(tpm) - assert.NoError(err) - assert.NotNil(tpmAk) - - // get the cached, already created key - getAk, err := getAttestationKey(tpm) - assert.NoError(err) - assert.NotNil(getAk) - - // if everything worked fine, tpmAk and getAk are the same key - assert.Equal(tpmAk, getAk) -} diff --git a/internal/attestation/gcp/snp/validator_test.go b/internal/attestation/gcp/snp/validator_test.go index 5772c357ed3..6c624e55a72 100644 --- a/internal/attestation/gcp/snp/validator_test.go +++ b/internal/attestation/gcp/snp/validator_test.go @@ -11,24 +11,16 @@ import ( "context" "crypto" "crypto/x509" - "encoding/base64" "encoding/hex" - "encoding/json" "encoding/pem" "errors" "fmt" - "regexp" "testing" "github.com/edgelesssys/constellation/v2/internal/attestation" - "github.com/edgelesssys/constellation/v2/internal/attestation/aws/snp/testdata" - "github.com/edgelesssys/constellation/v2/internal/attestation/snp" "github.com/edgelesssys/constellation/v2/internal/attestation/vtpm" "github.com/edgelesssys/constellation/v2/internal/config" - "github.com/edgelesssys/constellation/v2/internal/logger" - "github.com/google/go-sev-guest/abi" "github.com/google/go-sev-guest/proto/sevsnp" - spb "github.com/google/go-sev-guest/proto/sevsnp" "github.com/google/go-sev-guest/verify" "github.com/google/go-tpm-tools/proto/attest" "github.com/stretchr/testify/assert" @@ -36,28 +28,30 @@ import ( ) func TestGetTrustedKey(t *testing.T) { - validator := func() *Validator { return &Validator{reportValidator: stubGCPValidator{}} } + validator := func(ek []byte) *Validator { + return &Validator{ + reportValidator: stubGCPValidator{}, + gceKeyGetter: func(ctx context.Context, attDoc vtpm.AttestationDocument, _ []byte) (crypto.PublicKey, error) { + return ek, nil + }, + } + } testCases := map[string]struct { - akPub []byte - info []byte - wantErr bool + akPub []byte + ek []byte + info []byte }{ - "null byte docs": { - akPub: []byte{0x00, 0x00, 0x00, 0x00}, - info: []byte{0x00, 0x00, 0x00, 0x00}, - wantErr: true, - }, - "nil": { - akPub: nil, - info: nil, - wantErr: true, + "success": { + akPub: []byte("akPub"), + ek: []byte("ek"), + info: []byte("info"), }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) - out, err := validator().getTrustedKey( + out, err := validator(tc.ek).getTrustedKey( context.Background(), vtpm.AttestationDocument{ Attestation: &attest.Attestation{ @@ -68,142 +62,12 @@ func TestGetTrustedKey(t *testing.T) { nil, ) - if tc.wantErr { - assert.Error(err) - } else { - assert.NoError(err) - } - - assert.Nil(out) - }) - } -} - -// TestValidateSNPReport has to setup the following to run ValidateSNPReport: -// - parse ARK certificate from constants.go. -// - parse cached ASK certificate. -// - parse cached SNP report. -// - parse cached AK hash. Hash and SNP report have to match. -// - parse cache VLEK cert. -func TestValidateSNPReport(t *testing.T) { - require := require.New(t) - certs, err := loadCerts(testdata.CertChain) - require.NoError(err) - ark := certs[1] - ask := certs[0] - - // reportTransformer unpacks the base64 encoded report, applies the given transformations and re-encodes it. - reportTransformer := func(reportHex string, transformations func(*spb.Report)) string { - rawReport, err := base64.StdEncoding.DecodeString(reportHex) - require.NoError(err) - report, err := abi.ReportToProto(rawReport) - require.NoError(err) - transformations(report) - reportBytes, err := abi.ReportToAbiBytes(report) - require.NoError(err) - return base64.StdEncoding.EncodeToString(reportBytes) - } - - testCases := map[string]struct { - ak string - report string - reportTransformer func(string, func(*spb.Report)) string - verifier reportVerifier - validator reportValidator - wantErr bool - }{ - "success": { - ak: testdata.AKDigest, - report: testdata.SNPReport, - verifier: &reportVerifierImpl{}, - validator: &reportValidatorImpl{}, - }, - "invalid report data": { - ak: testdata.AKDigest, - report: reportTransformer(testdata.SNPReport, func(r *spb.Report) { - r.ReportData = make([]byte, 64) - }), - verifier: &stubReportVerifier{}, - validator: &reportValidatorImpl{}, - wantErr: true, - }, - "invalid report signature": { - ak: testdata.AKDigest, - report: reportTransformer(testdata.SNPReport, func(r *spb.Report) { r.Signature[0]++ }), - verifier: &reportVerifierImpl{}, - validator: &reportValidatorImpl{}, - wantErr: true, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - assert := assert.New(t) - - hash, err := hex.DecodeString(tc.ak) - require.NoError(err) - - report, err := base64.StdEncoding.DecodeString(tc.report) - require.NoError(err) - - info := snp.InstanceInfo{AttestationReport: report, ReportSigner: testdata.VLEK} - infoMarshalled, err := json.Marshal(info) - require.NoError(err) - - v := gcpValidator{httpsGetter: newStubHTTPSGetter(&urlResponseMatcher{}, nil), verifier: tc.verifier, validator: tc.validator} - err = v.validate(vtpm.AttestationDocument{InstanceInfo: infoMarshalled}, ask, ark, [64]byte(hash), config.DefaultForGCPSEVSNP(), logger.NewTest(t)) - if tc.wantErr { - assert.Error(err) - } else { - assert.NoError(err) - } + assert.NoError(err) + assert.Equal(tc.ek, out) }) } } -type stubHTTPSGetter struct { - urlResponseMatcher *urlResponseMatcher // maps responses to requested URLs - err error -} - -func newStubHTTPSGetter(urlResponseMatcher *urlResponseMatcher, err error) *stubHTTPSGetter { - return &stubHTTPSGetter{ - urlResponseMatcher: urlResponseMatcher, - err: err, - } -} - -func (s *stubHTTPSGetter) Get(url string) ([]byte, error) { - if s.err != nil { - return nil, s.err - } - return s.urlResponseMatcher.match(url) -} - -type urlResponseMatcher struct { - certChainResponse []byte - wantCertChainRequest bool - vcekResponse []byte - wantVcekRequest bool -} - -func (m *urlResponseMatcher) match(url string) ([]byte, error) { - switch { - case url == "https://kdsintf.amd.com/vcek/v1/Milan/cert_chain": - if !m.wantCertChainRequest { - return nil, fmt.Errorf("unexpected cert_chain request") - } - return m.certChainResponse, nil - case regexp.MustCompile(`https:\/\/kdsintf.amd.com\/vcek\/v1\/Milan\/.*`).MatchString(url): - if !m.wantVcekRequest { - return nil, fmt.Errorf("unexpected VCEK request") - } - return m.vcekResponse, nil - default: - return nil, fmt.Errorf("unexpected URL: %s", url) - } -} - func TestSha512sum(t *testing.T) { testCases := map[string]struct { key string