diff --git a/acme/challenge.go b/acme/challenge.go index 54a7d7b9..b4ff1c20 100644 --- a/acme/challenge.go +++ b/acme/challenge.go @@ -29,7 +29,6 @@ import ( "github.com/fxamacker/cbor/v2" "github.com/google/go-attestation/attest" "github.com/google/go-tpm/tpm2" - "github.com/ryboe/q" "golang.org/x/exp/slices" "go.step.sm/crypto/jose" @@ -420,7 +419,6 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose case "step": data, err := doStepAttestationFormat(ctx, prov, ch, jwk, &att) if err != nil { - q.Q(err) var acmeError *Error if errors.As(err, &acmeError) { if acmeError.Status == 500 { @@ -452,7 +450,6 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose if err != nil { // TODO(hs): we should provide more details in the error reported to the client; // "Attestation statement cannot be verified" is VERY generic. Also holds true for the other formats. - q.Q(err) var acmeError *Error if errors.As(err, &acmeError) { if acmeError.Status == 500 { diff --git a/acme/challenge_tpmsimulator_test.go b/acme/challenge_tpmsimulator_test.go index 4ce8e1db..0cc406e6 100644 --- a/acme/challenge_tpmsimulator_test.go +++ b/acme/challenge_tpmsimulator_test.go @@ -72,14 +72,14 @@ func mustAttestTPM(t *testing.T, keyAuthorization string) ([]byte, crypto.Signer require.NoError(t, err) // prepare simulated TPM and create an AK - ctpm := newSimulatedTPM(t) - eks, err := ctpm.GetEKs(context.Background()) + stpm := newSimulatedTPM(t) + eks, err := stpm.GetEKs(context.Background()) require.NoError(t, err) - ak, err := ctpm.CreateAK(context.Background(), "first-ak") + ak, err := stpm.CreateAK(context.Background(), "first-ak") require.NoError(t, err) require.NotNil(t, ak) - // extract the AK public key + // extract the AK public key // TODO(hs): replace this when there's a simpler method to get the AK public key (e.g. ak.Public()) ap, err := ak.AttestationParameters(context.Background()) require.NoError(t, err) akp, err := attest.ParseAKPublic(attest.TPMVersion20, ap.Public) @@ -108,7 +108,7 @@ func mustAttestTPM(t *testing.T, keyAuthorization string) ([]byte, crypto.Signer Size: 2048, QualifyingData: keyAuthSum[:], } - key, err := ctpm.AttestKey(context.Background(), "first-ak", "first-key", config) + key, err := stpm.AttestKey(context.Background(), "first-ak", "first-key", config) require.NoError(t, err) require.NotNil(t, key) require.Equal(t, "first-key", key.Name()) @@ -165,6 +165,75 @@ func Test_deviceAttest01ValidateWithTPMSimulator(t *testing.T) { wantErr *Error } tests := map[string]func(t *testing.T) test{ + "ok/doTPMAttestationFormat-storeError": func(t *testing.T) test { + _, keyAuth := mustAccountAndKeyAuthorization(t, "token") + payload, _, root := mustAttestTPM(t, keyAuth) // TODO: value(s) for AK cert? + caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw}) + ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot)) + + // parse payload, set invalid "ver", remarshal + var p payloadType + err := json.Unmarshal(payload, &p) + require.NoError(t, err) + attObj, err := base64.RawURLEncoding.DecodeString(p.AttObj) + require.NoError(t, err) + att := attestationObject{} + err = cbor.Unmarshal(attObj, &att) + require.NoError(t, err) + att.AttStatement["ver"] = "bogus" + attObj, err = cbor.Marshal(struct { + Format string `json:"fmt"` + AttStatement map[string]interface{} `json:"attStmt,omitempty"` + }{ + Format: "tpm", + AttStatement: att.AttStatement, + }) + require.NoError(t, err) + payload, err = json.Marshal(struct { + AttObj string `json:"attObj"` + }{ + AttObj: base64.RawURLEncoding.EncodeToString(attObj), + }) + require.NoError(t, err) + return test{ + args: args{ + ctx: ctx, + ch: &Challenge{ + ID: "chID", + AuthorizationID: "azID", + Token: "token", + Type: "device-attest-01", + Status: StatusPending, + Value: "device.id.12345678", + }, + payload: payload, + db: &MockDB{ + MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) { + assert.Equal(t, "azID", id) + return &Authorization{ID: "azID"}, nil + }, + MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error { + assert.Equal(t, "chID", updch.ID) + assert.Equal(t, "token", updch.Token) + assert.Equal(t, StatusInvalid, updch.Status) + assert.Equal(t, ChallengeType("device-attest-01"), updch.Type) + assert.Equal(t, "device.id.12345678", updch.Value) + + err := NewError(ErrorBadAttestationStatementType, `version "bogus" is not supported`) + + assert.EqualError(t, updch.Error.Err, err.Err.Error()) + assert.Equal(t, err.Type, updch.Error.Type) + assert.Equal(t, err.Detail, updch.Error.Detail) + assert.Equal(t, err.Status, updch.Error.Status) + assert.Equal(t, err.Subproblems, updch.Error.Subproblems) + + return nil + }, + }, + }, + wantErr: nil, + } + }, "ok": func(t *testing.T) test { jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token") payload, signer, root := mustAttestTPM(t, keyAuth) // TODO: value(s) for AK cert? diff --git a/go.mod b/go.mod index 170e4d08..f0e0f99d 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,6 @@ require ( github.com/hashicorp/vault/api v1.9.0 github.com/hashicorp/vault/api/auth/approle v0.4.0 github.com/hashicorp/vault/api/auth/kubernetes v0.4.0 - github.com/kr/pretty v0.3.1 // indirect github.com/mattn/go-colorable v0.1.8 // indirect github.com/mattn/go-isatty v0.0.13 // indirect github.com/micromdm/scep/v2 v2.1.0 @@ -53,7 +52,6 @@ require ( require ( github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 - github.com/ryboe/q v1.0.19 golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0 ) @@ -114,7 +112,6 @@ require ( github.com/jackc/pgx/v4 v4.18.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/klauspost/compress v1.15.11 // indirect - github.com/kr/text v0.2.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/manifoldco/promptui v0.9.0 // indirect github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect diff --git a/go.sum b/go.sum index b88894a6..b246e491 100644 --- a/go.sum +++ b/go.sum @@ -648,7 +648,6 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= -github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= @@ -785,7 +784,6 @@ github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -853,8 +851,6 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/ryboe/q v1.0.19 h1:1dO1anK4gorZRpXBD/edBZkMxIC1tFIwN03nfyOV13A= -github.com/ryboe/q v1.0.19/go.mod h1:IoEB3Q2/p6n1qbhIQVuNyakxtnV4rNJ/XJPK+jsEa0M= github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= @@ -1028,8 +1024,6 @@ go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqe go.step.sm/cli-utils v0.7.5 h1:jyp6X8k8mN1B0uWJydTid0C++8tQhm2kaaAdXKQQzdk= go.step.sm/cli-utils v0.7.5/go.mod h1:taSsY8haLmXoXM3ZkywIyRmVij/4Aj0fQbNTlJvv71I= go.step.sm/crypto v0.9.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0= -go.step.sm/crypto v0.28.1-0.20230329130243-a1ebfc5bcff7 h1:2vVWEooAKQArOoGClfst8+/Mu8bu/EHthn3kCu26OGk= -go.step.sm/crypto v0.28.1-0.20230329130243-a1ebfc5bcff7/go.mod h1:PFmyUJUvF5YDVokruSlTDcENBD/QBDpBiV2zInfsgV0= go.step.sm/crypto v0.28.1-0.20230329145110-4ccd51b601c7 h1:8h176gNghpnGnVY99fHHoFZaPOeDR9Q472KuxSCeeRA= go.step.sm/crypto v0.28.1-0.20230329145110-4ccd51b601c7/go.mod h1:PFmyUJUvF5YDVokruSlTDcENBD/QBDpBiV2zInfsgV0= go.step.sm/linkedca v0.19.0 h1:xuagkR35wrJI2gnu6FAM+q3VmjwsHScvGcJsfZ0GdsI=