From 6990a9013ce5fa9be54458682dc0250947138eba Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Wed, 7 Feb 2024 16:18:09 +0100 Subject: [PATCH] oid: move snp issuer and validator oid to own package --- internal/attestation/snp/extensions.go | 5 ++++- internal/attestation/snp/issuer.go | 3 ++- internal/attestation/snp/validator.go | 3 ++- internal/oid/oid.go | 7 +++++++ 4 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 internal/oid/oid.go diff --git a/internal/attestation/snp/extensions.go b/internal/attestation/snp/extensions.go index dc7d45fc9..629ebe9fb 100644 --- a/internal/attestation/snp/extensions.go +++ b/internal/attestation/snp/extensions.go @@ -6,6 +6,7 @@ import ( "fmt" "math/big" + "github.com/edgelesssys/nunki/internal/oid" "github.com/google/go-sev-guest/abi" "github.com/google/go-sev-guest/kds" "github.com/google/go-sev-guest/proto/sevsnp" @@ -13,7 +14,9 @@ import ( ) var ( - rootOID = asn1.ObjectIdentifier{1, 3, 9901, 2, 1} + // We use the raw SNP OID as root range for our parsed SNP report extensions. + // This OID NOT be used for any parsed extension directly. + rootOID = oid.RawSNPReport versionOID = append(rootOID, 1) guestSVNOID = append(rootOID, 2) diff --git a/internal/attestation/snp/issuer.go b/internal/attestation/snp/issuer.go index 29ba4c7da..76b056fb7 100644 --- a/internal/attestation/snp/issuer.go +++ b/internal/attestation/snp/issuer.go @@ -14,6 +14,7 @@ import ( "fmt" "log/slog" + "github.com/edgelesssys/nunki/internal/oid" "github.com/google/go-sev-guest/client" ) @@ -29,7 +30,7 @@ func NewIssuer(log *slog.Logger) *Issuer { // OID returns the OID of the issuer. func (i *Issuer) OID() asn1.ObjectIdentifier { - return asn1.ObjectIdentifier{1, 3, 9901, 2, 1} + return oid.RawSNPReport } // Issue the attestation document. diff --git a/internal/attestation/snp/validator.go b/internal/attestation/snp/validator.go index 29f31ce09..ac409f6de 100644 --- a/internal/attestation/snp/validator.go +++ b/internal/attestation/snp/validator.go @@ -15,6 +15,7 @@ import ( "log/slog" "github.com/edgelesssys/nunki/internal/logger" + "github.com/edgelesssys/nunki/internal/oid" "github.com/google/go-sev-guest/abi" "github.com/google/go-sev-guest/proto/sevsnp" "github.com/google/go-sev-guest/validate" @@ -71,7 +72,7 @@ func NewValidatorWithCallbacks(optsGen validateOptsGenerator, kdsGetter trust.HT // OID returns the OID of the validator. func (v *Validator) OID() asn1.ObjectIdentifier { - return asn1.ObjectIdentifier{1, 3, 9901, 2, 1} + return oid.RawSNPReport } // Validate a TPM based attestation. diff --git a/internal/oid/oid.go b/internal/oid/oid.go new file mode 100644 index 000000000..1ece3c391 --- /dev/null +++ b/internal/oid/oid.go @@ -0,0 +1,7 @@ +package oid + +import "encoding/asn1" + +// RawSNPReport is the root OID for the raw SNP report extensions +// used by the aTLS issuer and validator. +var RawSNPReport = asn1.ObjectIdentifier{1, 3, 9901, 2, 1}