Merge pull request #93 from deeglaze/skipnofetch

deeglaze · web-flow · commit 1a9dbbc97d59 · 2023-10-20T15:00:10.000-07:00
Add DisableCertFetching verify_test mode
diff --git a/verify/verify.go b/verify/verify.go
@@ -474,9 +474,12 @@ func decodeCerts(chain *spb.CertificateChain, key abi.ReportSigner, options *Opt
 	case abi.VlekReportSigner:
 		ek = chain.GetVlekCert()
 	}
+	if len(ek) == 0 {
+		return nil, nil, fmt.Errorf("missing %v certificate", key)
+	}
 	endorsementKeyCert, err := trust.ParseCert(ek)
 	if err != nil {
-		return nil, nil, fmt.Errorf("could not interpret %v DER bytes: %v", key, err)
+		return nil, nil, fmt.Errorf("could not interpret %v DER bytes %v: %v", key, ek, err)
 	}
 	exts, err := validateKDSCertificateProductNonspecific(endorsementKeyCert, key)
 	if err != nil {
diff --git a/verify/verify_test.go b/verify/verify_test.go
@@ -21,6 +21,7 @@ import (
 	_ "embed"
 	"encoding/asn1"
 	"encoding/pem"
+	"flag"
 	"fmt"
 	"math/big"
 	"math/rand"
@@ -43,8 +44,10 @@ import (
 )
 
 var (
-	signMu sync.Once
-	signer *test.AmdSigner
+	signMu       sync.Once
+	signer       *test.AmdSigner
+	requireCache = flag.Bool("require_cert_cache", true,
+		"If true, hardware tests depend on host cache of endorsement key certificates")
 )
 
 func product() string {
@@ -442,6 +445,7 @@ func TestOpenGetExtendedReportVerifyClose(t *testing.T) {
 		name           string
 		getter         reportGetter
 		skipVlek       bool
+		skipNoCache    bool
 		badRootErr     string
 		vlekOnly       bool
 		vlekErr        string
@@ -459,6 +463,7 @@ func TestOpenGetExtendedReportVerifyClose(t *testing.T) {
 			badRootErr:     "error verifying VCEK certificate",
 			vlekErr:        "VLEK certificate is missing",
 			vlekBadRootErr: "VLEK certificate is missing",
+			skipNoCache:    true,
 		},
 		{
 			name: "GetReportVlek",
@@ -484,10 +489,16 @@ func TestOpenGetExtendedReportVerifyClose(t *testing.T) {
 			vlekOnly:       true,
 			badRootErr:     "error verifying VLEK certificate",
 			vlekBadRootErr: "error verifying VLEK certificate",
+			skipNoCache:    true,
 		},
 	}
 	// Trust the test device's root certs.
-	options := &Options{TrustedRoots: goodRoots, Getter: kds, Product: testProduct(t)}
+	options := &Options{
+		TrustedRoots:        goodRoots,
+		Getter:              kds,
+		Product:             testProduct(t),
+		DisableCertFetching: *requireCache && !sg.UseDefaultSevGuest(),
+	}
 	badOptions := &Options{TrustedRoots: badRoots, Getter: kds, Product: testProduct(t)}
 	for _, tc := range tests {
 		if testclient.SkipUnmockableTestCase(&tc) {
@@ -504,6 +515,10 @@ func TestOpenGetExtendedReportVerifyClose(t *testing.T) {
 					t.Skip()
 					return
 				}
+				if getReport.skipNoCache && *requireCache {
+					t.Skip()
+					return
+				}
 				ereport, err := getReport.getter(d, tc.Input)
 				if !test.Match(err, tc.WantErr) {
 					t.Fatalf("(d, %v) = %v, %v. Want err: %v", tc.Input, ereport, err, tc.WantErr)

Original file line number	Diff line number	Diff line change
`@@ -474,9 +474,12 @@ func decodeCerts(chain spb.CertificateChain, key abi.ReportSigner, options Opt`
`474`	`474`	`case abi.VlekReportSigner:`
`475`	`475`	`ek = chain.GetVlekCert()`
`476`	`476`	`}`
	`477`	`+ if len(ek) == 0 {`
	`478`	`+ return nil, nil, fmt.Errorf("missing %v certificate", key)`
	`479`	`+ }`
`477`	`480`	`endorsementKeyCert, err := trust.ParseCert(ek)`
`478`	`481`	`if err != nil {`
`479`		`- return nil, nil, fmt.Errorf("could not interpret %v DER bytes: %v", key, err)`
	`482`	`+ return nil, nil, fmt.Errorf("could not interpret %v DER bytes %v: %v", key, ek, err)`
`480`	`483`	`}`
`481`	`484`	`exts, err := validateKDSCertificateProductNonspecific(endorsementKeyCert, key)`
`482`	`485`	`if err != nil {`