Add failing TPM simulator test

1 year ago · ae30f6e96b
parent 1cc3ad27a5
commit ae30f6e96b
4 changed files with 74 additions and 17 deletions
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -29,7 +29,6 @@ import (
 	"github.com/fxamacker/cbor/v2"
 	"github.com/google/go-attestation/attest"
 	"github.com/google/go-tpm/tpm2"
-	"github.com/ryboe/q"
 	"golang.org/x/exp/slices"

 	"go.step.sm/crypto/jose"
@ -420,7 +419,6 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 	case "step":
 		data, err := doStepAttestationFormat(ctx, prov, ch, jwk, &att)
 		if err != nil {
-			q.Q(err)
 			var acmeError *Error
 			if errors.As(err, &acmeError) {
 				if acmeError.Status == 500 {
@ -452,7 +450,6 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 		if err != nil {
 			// TODO(hs): we should provide more details in the error reported to the client;
 			// "Attestation statement cannot be verified" is VERY generic. Also holds true for the other formats.
-			q.Q(err)
 			var acmeError *Error
 			if errors.As(err, &acmeError) {
 				if acmeError.Status == 500 {
--- a/acme/challenge_tpmsimulator_test.go
+++ b/acme/challenge_tpmsimulator_test.go
@ -72,14 +72,14 @@ func mustAttestTPM(t *testing.T, keyAuthorization string) ([]byte, crypto.Signer
 	require.NoError(t, err)

 	// prepare simulated TPM and create an AK
-	ctpm := newSimulatedTPM(t)
-	eks, err := ctpm.GetEKs(context.Background())
+	stpm := newSimulatedTPM(t)
+	eks, err := stpm.GetEKs(context.Background())
 	require.NoError(t, err)
-	ak, err := ctpm.CreateAK(context.Background(), "first-ak")
+	ak, err := stpm.CreateAK(context.Background(), "first-ak")
 	require.NoError(t, err)
 	require.NotNil(t, ak)

-	// extract the AK public key
+	// extract the AK public key // TODO(hs): replace this when there's a simpler method to get the AK public key (e.g. ak.Public())
 	ap, err := ak.AttestationParameters(context.Background())
 	require.NoError(t, err)
 	akp, err := attest.ParseAKPublic(attest.TPMVersion20, ap.Public)
@ -108,7 +108,7 @@ func mustAttestTPM(t *testing.T, keyAuthorization string) ([]byte, crypto.Signer
 		Size:           2048,
 		QualifyingData: keyAuthSum[:],
 	}
-	key, err := ctpm.AttestKey(context.Background(), "first-ak", "first-key", config)
+	key, err := stpm.AttestKey(context.Background(), "first-ak", "first-key", config)
 	require.NoError(t, err)
 	require.NotNil(t, key)
 	require.Equal(t, "first-key", key.Name())
@ -165,6 +165,75 @@ func Test_deviceAttest01ValidateWithTPMSimulator(t *testing.T) {
 		wantErr *Error
 	}
 	tests := map[string]func(t *testing.T) test{
+		"ok/doTPMAttestationFormat-storeError": func(t *testing.T) test {
+			_, keyAuth := mustAccountAndKeyAuthorization(t, "token")
+			payload, _, root := mustAttestTPM(t, keyAuth) // TODO: value(s) for AK cert?
+			caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw})
+			ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot))
+
+			// parse payload, set invalid "ver", remarshal
+			var p payloadType
+			err := json.Unmarshal(payload, &p)
+			require.NoError(t, err)
+			attObj, err := base64.RawURLEncoding.DecodeString(p.AttObj)
+			require.NoError(t, err)
+			att := attestationObject{}
+			err = cbor.Unmarshal(attObj, &att)
+			require.NoError(t, err)
+			att.AttStatement["ver"] = "bogus"
+			attObj, err = cbor.Marshal(struct {
+				Format       string                 `json:"fmt"`
+				AttStatement map[string]interface{} `json:"attStmt,omitempty"`
+			}{
+				Format:       "tpm",
+				AttStatement: att.AttStatement,
+			})
+			require.NoError(t, err)
+			payload, err = json.Marshal(struct {
+				AttObj string `json:"attObj"`
+			}{
+				AttObj: base64.RawURLEncoding.EncodeToString(attObj),
+			})
+			require.NoError(t, err)
+			return test{
+				args: args{
+					ctx: ctx,
+					ch: &Challenge{
+						ID:              "chID",
+						AuthorizationID: "azID",
+						Token:           "token",
+						Type:            "device-attest-01",
+						Status:          StatusPending,
+						Value:           "device.id.12345678",
+					},
+					payload: payload,
+					db: &MockDB{
+						MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
+							assert.Equal(t, "azID", id)
+							return &Authorization{ID: "azID"}, nil
+						},
+						MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
+							assert.Equal(t, "chID", updch.ID)
+							assert.Equal(t, "token", updch.Token)
+							assert.Equal(t, StatusInvalid, updch.Status)
+							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
+							assert.Equal(t, "device.id.12345678", updch.Value)
+
+							err := NewError(ErrorBadAttestationStatementType, `version "bogus" is not supported`)
+
+							assert.EqualError(t, updch.Error.Err, err.Err.Error())
+							assert.Equal(t, err.Type, updch.Error.Type)
+							assert.Equal(t, err.Detail, updch.Error.Detail)
+							assert.Equal(t, err.Status, updch.Error.Status)
+							assert.Equal(t, err.Subproblems, updch.Error.Subproblems)
+
+							return nil
+						},
+					},
+				},
+				wantErr: nil,
+			}
+		},
 		"ok": func(t *testing.T) test {
 			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
 			payload, signer, root := mustAttestTPM(t, keyAuth) // TODO: value(s) for AK cert?
--- a/go.mod
+++ b/go.mod
@ -23,7 +23,6 @@ require (
 	github.com/hashicorp/vault/api v1.9.0
 	github.com/hashicorp/vault/api/auth/approle v0.4.0
 	github.com/hashicorp/vault/api/auth/kubernetes v0.4.0
-	github.com/kr/pretty v0.3.1 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.13 // indirect
 	github.com/micromdm/scep/v2 v2.1.0
@ -53,7 +52,6 @@ require (

 require (
 	github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9
-	github.com/ryboe/q v1.0.19
 	golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
 )

@ -114,7 +112,6 @@ require (
 	github.com/jackc/pgx/v4 v4.18.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/compress v1.15.11 // indirect
-	github.com/kr/text v0.2.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
--- a/go.sum
+++ b/go.sum
@ -648,7 +648,6 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
@ -785,7 +784,6 @@ github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@ -853,8 +851,6 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/ryboe/q v1.0.19 h1:1dO1anK4gorZRpXBD/edBZkMxIC1tFIwN03nfyOV13A=
-github.com/ryboe/q v1.0.19/go.mod h1:IoEB3Q2/p6n1qbhIQVuNyakxtnV4rNJ/XJPK+jsEa0M=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
@ -1028,8 +1024,6 @@ go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqe
 go.step.sm/cli-utils v0.7.5 h1:jyp6X8k8mN1B0uWJydTid0C++8tQhm2kaaAdXKQQzdk=
 go.step.sm/cli-utils v0.7.5/go.mod h1:taSsY8haLmXoXM3ZkywIyRmVij/4Aj0fQbNTlJvv71I=
 go.step.sm/crypto v0.9.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0=
-go.step.sm/crypto v0.28.1-0.20230329130243-a1ebfc5bcff7 h1:2vVWEooAKQArOoGClfst8+/Mu8bu/EHthn3kCu26OGk=
-go.step.sm/crypto v0.28.1-0.20230329130243-a1ebfc5bcff7/go.mod h1:PFmyUJUvF5YDVokruSlTDcENBD/QBDpBiV2zInfsgV0=
 go.step.sm/crypto v0.28.1-0.20230329145110-4ccd51b601c7 h1:8h176gNghpnGnVY99fHHoFZaPOeDR9Q472KuxSCeeRA=
 go.step.sm/crypto v0.28.1-0.20230329145110-4ccd51b601c7/go.mod h1:PFmyUJUvF5YDVokruSlTDcENBD/QBDpBiV2zInfsgV0=
 go.step.sm/linkedca v0.19.0 h1:xuagkR35wrJI2gnu6FAM+q3VmjwsHScvGcJsfZ0GdsI=