|
4 | 4 | "encoding/hex" |
5 | 5 | "os" |
6 | 6 | "testing" |
| 7 | + "time" |
7 | 8 |
|
8 | 9 | "github.com/stretchr/testify/require" |
9 | 10 |
|
@@ -248,6 +249,56 @@ func TestHashAttestation(t *testing.T) { |
248 | 249 | require.EqualValues("9a288bd33ba7a4c2eefdee68e4c08c1a34c369302ef8176a3bfdb4fedcec333e", hex.EncodeToString(h)) |
249 | 250 | } |
250 | 251 |
|
| 252 | +// TestKeyManagerAccessPolicySanity checks that attestation verification uses |
| 253 | +// the stricter key manager access policy when requested and falls back to the |
| 254 | +// default policy otherwise. |
| 255 | +func TestKeyManagerAccessPolicySanity(t *testing.T) { |
| 256 | + require := require.New(t) |
| 257 | + |
| 258 | + pcs.SetSkipVerify() |
| 259 | + defer pcs.UnsetSkipVerify() |
| 260 | + |
| 261 | + // Build a raw SGX report (384 bytes) with a known RAK hash in ReportData. |
| 262 | + var rak signature.PublicKey |
| 263 | + rakHash := HashRAK(rak) |
| 264 | + |
| 265 | + var rawReport [384]byte |
| 266 | + copy(rawReport[320:], rakHash[:]) |
| 267 | + |
| 268 | + mockQuote, err := pcs.NewMockQuote(rawReport[:]) |
| 269 | + require.NoError(err, "NewMockQuote") |
| 270 | + |
| 271 | + sa := SGXAttestation{ |
| 272 | + Versioned: cbor.NewVersioned(LatestSGXAttestationVersion), |
| 273 | + Quote: quote.Quote{ |
| 274 | + PCS: &pcs.QuoteBundle{ |
| 275 | + Quote: mockQuote, |
| 276 | + }, |
| 277 | + }, |
| 278 | + } |
| 279 | + |
| 280 | + sc := SGXConstraints{ |
| 281 | + Versioned: cbor.NewVersioned(1), |
| 282 | + Enclaves: []sgx.EnclaveIdentity{{}}, |
| 283 | + Policy: "e.Policy{ |
| 284 | + PCS: &pcs.QuotePolicy{}, |
| 285 | + }, |
| 286 | + KeyManagerAccessPolicy: "e.Policy{ |
| 287 | + PCS: &pcs.QuotePolicy{Disabled: true}, |
| 288 | + }, |
| 289 | + } |
| 290 | + |
| 291 | + var nodeID signature.PublicKey |
| 292 | + cfg := &TEEFeatures{SGX: TEEFeaturesSGX{PCS: true}} |
| 293 | + |
| 294 | + err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, true) |
| 295 | + require.Error(err, "attestation should be rejected when key manager access policy is used") |
| 296 | + require.ErrorContains(err, "PCS quotes are disabled by policy") |
| 297 | + |
| 298 | + err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, false) |
| 299 | + require.NoError(err, "attestation should pass when falling back to default policy") |
| 300 | +} |
| 301 | + |
251 | 302 | func FuzzSGXConstraints(f *testing.F) { |
252 | 303 | // Add some V0 constraints. |
253 | 304 | raw, err := os.ReadFile("testdata/sgx_constraints_v0.bin") |
|
0 commit comments