Merge pull request #93 from deeglaze/skipnofetch

Add DisableCertFetching verify_test mode
google · Oct 20, 2023 · 1a9dbbc · 1a9dbbc
2 parents 1298952 + a43493f
commit 1a9dbbc
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/verify/verify.go b/verify/verify.go
@@ -474,9 +474,12 @@ func decodeCerts(chain *spb.CertificateChain, key abi.ReportSigner, options *Opt
 	case abi.VlekReportSigner:
 		ek = chain.GetVlekCert()
 	}
+	if len(ek) == 0 {
+		return nil, nil, fmt.Errorf("missing %v certificate", key)
+	}
 	endorsementKeyCert, err := trust.ParseCert(ek)
 	if err != nil {
-		return nil, nil, fmt.Errorf("could not interpret %v DER bytes: %v", key, err)
+		return nil, nil, fmt.Errorf("could not interpret %v DER bytes %v: %v", key, ek, err)
 	}
 	exts, err := validateKDSCertificateProductNonspecific(endorsementKeyCert, key)
 	if err != nil {

diff --git a/verify/verify_test.go b/verify/verify_test.go
@@ -21,6 +21,7 @@ import (
 	_ "embed"
 	"encoding/asn1"
 	"encoding/pem"
+	"flag"
 	"fmt"
 	"math/big"
 	"math/rand"
@@ -43,8 +44,10 @@ import (
 )
 
 var (
-	signMu sync.Once
-	signer *test.AmdSigner
+	signMu       sync.Once
+	signer       *test.AmdSigner
+	requireCache = flag.Bool("require_cert_cache", true,
+		"If true, hardware tests depend on host cache of endorsement key certificates")
 )
 
 func product() string {
@@ -442,6 +445,7 @@ func TestOpenGetExtendedReportVerifyClose(t *testing.T) {
 		name           string
 		getter         reportGetter
 		skipVlek       bool
+		skipNoCache    bool
 		badRootErr     string
 		vlekOnly       bool
 		vlekErr        string
@@ -459,6 +463,7 @@ func TestOpenGetExtendedReportVerifyClose(t *testing.T) {
 			badRootErr:     "error verifying VCEK certificate",
 			vlekErr:        "VLEK certificate is missing",
 			vlekBadRootErr: "VLEK certificate is missing",
+			skipNoCache:    true,
 		},
 		{
 			name: "GetReportVlek",
@@ -484,10 +489,16 @@ func TestOpenGetExtendedReportVerifyClose(t *testing.T) {
 			vlekOnly:       true,
 			badRootErr:     "error verifying VLEK certificate",
 			vlekBadRootErr: "error verifying VLEK certificate",
+			skipNoCache:    true,
 		},
 	}
 	// Trust the test device's root certs.
-	options := &Options{TrustedRoots: goodRoots, Getter: kds, Product: testProduct(t)}
+	options := &Options{
+		TrustedRoots:        goodRoots,
+		Getter:              kds,
+		Product:             testProduct(t),
+		DisableCertFetching: *requireCache && !sg.UseDefaultSevGuest(),
+	}
 	badOptions := &Options{TrustedRoots: badRoots, Getter: kds, Product: testProduct(t)}
 	for _, tc := range tests {
 		if testclient.SkipUnmockableTestCase(&tc) {
@@ -504,6 +515,10 @@ func TestOpenGetExtendedReportVerifyClose(t *testing.T) {
 					t.Skip()
 					return
 				}
+				if getReport.skipNoCache && *requireCache {
+					t.Skip()
+					return
+				}
 				ereport, err := getReport.getter(d, tc.Input)
 				if !test.Match(err, tc.WantErr) {
 					t.Fatalf("(d, %v) = %v, %v. Want err: %v", tc.Input, ereport, err, tc.WantErr)