Merge pull request #172 from google/att_intermediate

Automatically use attestation intermediates for AK cert verification

server/verify.go

@@ -65,6 +65,22 @@ func VerifyAttestation(attestation *pb.Attestation, opts VerifyOpts) (*pb.Machin
 	if err != nil {
 		return nil, fmt.Errorf("failed to get AK public key: %w", err)
 	}
+
+	// Add intermediate certs in the attestation if they exist.
+	if len(attestation.IntermediateCerts) != 0 {
+		if opts.IntermediateCerts == nil {
+			opts.IntermediateCerts = x509.NewCertPool()
+		}
+
+		for _, certBytes := range attestation.IntermediateCerts {
+			cert, err := x509.ParseCertificate(certBytes)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse intermediate certificate in attestation: %w", err)
+			}
+
+			opts.IntermediateCerts.AddCert(cert)
+		}
+	}
 	if err := checkAKTrusted(akPubKey, attestation.GetAkCert(), opts); err != nil {
 		return nil, fmt.Errorf("failed to validate AK: %w", err)
 	}

server/verify_test.go

@@ -461,6 +461,39 @@ func TestVerifyAttestationWithCerts(t *testing.T) {
 	}
 }
 
+func TestVerifyAutomaticallyUsesIntermediatesInAttestation(t *testing.T) {
+	attestBytes := test.COS85Nonce9009
+	att := &attestpb.Attestation{}
+	if err := proto.Unmarshal(attestBytes, att); err != nil {
+		t.Fatalf("failed to unmarshal attestation: %v", err)
+	}
+	att.IntermediateCerts = [][]byte{gceEKIntermediateCA2}
+
+	if _, err := VerifyAttestation(att, VerifyOpts{
+		Nonce:            []byte{0x90, 0x09},
+		TrustedRootCerts: GceEKRoots,
+	}); err != nil {
+		t.Errorf("failed to VerifyAttestation with intermediates provided in attestation: %v", err)
+	}
+}
+
+func TestVerifySucceedsWithOverlappingIntermediatesInOptionsAndAttestation(t *testing.T) {
+	attestBytes := test.COS85Nonce9009
+	att := &attestpb.Attestation{}
+	if err := proto.Unmarshal(attestBytes, att); err != nil {
+		t.Fatalf("failed to unmarshal attestation: %v", err)
+	}
+	att.IntermediateCerts = [][]byte{gceEKIntermediateCA2}
+
+	if _, err := VerifyAttestation(att, VerifyOpts{
+		Nonce:             []byte{0x90, 0x09},
+		TrustedRootCerts:  GceEKRoots,
+		IntermediateCerts: GceEKIntermediates,
+	}); err != nil {
+		t.Errorf("failed to VerifyAttestation with overlapping intermediates provided in attestation and options: %v", err)
+	}
+}
+
 func TestVerifyFailWithCertsAndPubkey(t *testing.T) {
 	att := &attestpb.Attestation{}
 	if err := proto.Unmarshal(test.COS85NoNonce, att); err != nil {
@@ -511,7 +544,7 @@ func TestVerifyAttestationMissingRoots(t *testing.T) {
 	if _, err := VerifyAttestation(att, VerifyOpts{
 		IntermediateCerts: GceEKIntermediates,
 	}); err == nil {
-		t.Error("expected error when calling VerifyAttestation with empty roots and intermediates")
+		t.Error("expected error when calling VerifyAttestation with missing roots")
 	}
 }
 
@@ -525,7 +558,7 @@ func TestVerifyAttestationMissingIntermediates(t *testing.T) {
 	if _, err := VerifyAttestation(att, VerifyOpts{
 		TrustedRootCerts: GceEKRoots,
 	}); err == nil {
-		t.Error("expected error when calling VerifyAttestation with empty roots and intermediates")
+		t.Error("expected error when calling VerifyAttestation with missing intermediates")
 	}
 }
 
@@ -561,3 +594,19 @@ func TestVerifyMismatchedAKPubAndAKCert(t *testing.T) {
 		t.Error("expected error when calling VerifyAttestation with mismatched public key and cert")
 	}
 }
+
+func TestVerifyFailsWithMalformedIntermediatesInAttestation(t *testing.T) {
+	attestBytes := test.COS85Nonce9009
+	att := &attestpb.Attestation{}
+	if err := proto.Unmarshal(attestBytes, att); err != nil {
+		t.Fatalf("failed to unmarshal attestation: %v", err)
+	}
+	att.IntermediateCerts = [][]byte{[]byte("Not an intermediate cert.")}
+
+	if _, err := VerifyAttestation(att, VerifyOpts{
+		Nonce:            []byte{0x90, 0x09},
+		TrustedRootCerts: GceEKRoots,
+	}); err == nil {
+		t.Error("expected error when calling VerifyAttestation with malformed intermediate")
+	}
+}