google · deeglaze · Jul 13, 2023 · Jul 13, 2023
diff --git a/verify/trust/trust.go b/verify/trust/trust.go
@@ -19,6 +19,7 @@ import (
 	"context"
 	"crypto/x509"
 	_ "embed"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"net/http"
@@ -171,15 +172,29 @@ func (r *AMDRootCerts) Unmarshal(data []byte) error {
 	return nil
 }
 
-// FromDER populates the ProductCerts from DER-formatted certificates for both the ASK and the ARK.
-func (r *ProductCerts) FromDER(ask []byte, ark []byte) error {
-	askCert, err := x509.ParseCertificate(ask)
+// ParseCert returns an X.509 Certificate type for a PEM[CERTIFICATE]- or DER-encoded cert.
+func ParseCert(cert []byte) (*x509.Certificate, error) {
+	raw := cert
+	b, rest := pem.Decode(cert)
+	if b != nil {
+		if len(rest) > 0 || b.Type != "CERTIFICATE" {
+			return nil, fmt.Errorf("bad type %q or trailing bytes (%d). Expected a single certificate when in PEM format",
+				b.Type, len(rest))
+		}
+		raw = b.Bytes
+	}
+	return x509.ParseCertificate(raw)
+}
+
+// Decode populates the ProductCerts from DER-formatted certificates for both the ASK and the ARK.
+func (r *ProductCerts) Decode(ask []byte, ark []byte) error {
+	askCert, err := ParseCert(ask)
 	if err != nil {
 		return fmt.Errorf("could not parse ASK certificate: %v", err)
 	}
 	r.Ask = askCert
 
-	arkCert, err := x509.ParseCertificate(ark)
+	arkCert, err := ParseCert(ark)
 	if err != nil {
 		logger.Errorf("could not parse ARK certificate: %v", err)
 	}
@@ -195,7 +210,7 @@ func (r *ProductCerts) FromKDSCertBytes(data []byte) error {
 	if err != nil {
 		return err
 	}
-	return r.FromDER(ask, ark)
+	return r.Decode(ask, ark)
 }
 
 // FromKDSCert populates r's AskX509 and ArkX509 certificates from the certificate format AMD's Key
@@ -218,7 +233,6 @@ func (r *ProductCerts) X509Options(now time.Time) *x509.VerifyOptions {
 	roots.AddCert(r.Ark)
 	intermediates := x509.NewCertPool()
 	intermediates.AddCert(r.Ask)
-	fmt.Printf("but now is %s\n", now.Format(time.RFC3339))
 	return &x509.VerifyOptions{Roots: roots, Intermediates: intermediates, CurrentTime: now}
 }
 
@@ -271,10 +285,10 @@ func GetProductChain(product string, getter HTTPSGetter) (*ProductCerts, error)
 // Forward all the ProductCerts operations from the AMDRootCerts struct to follow the
 // Law of Demeter.
 
-// FromDER populates the AMDRootCerts from DER-formatted certificates for both the ASK and the ARK.
-func (r *AMDRootCerts) FromDER(ask []byte, ark []byte) error {
+// Decode populates the AMDRootCerts from DER-formatted certificates for both the ASK and the ARK.
+func (r *AMDRootCerts) Decode(ask []byte, ark []byte) error {
 	r.ProductCerts = &ProductCerts{}
-	return r.ProductCerts.FromDER(ask, ark)
+	return r.ProductCerts.Decode(ask, ark)
 }
 
 // FromKDSCertBytes populates r's AskX509 and ArkX509 certificates from the two PEM-encoded

diff --git a/verify/verify.go b/verify/verify.go
@@ -382,19 +382,18 @@ func validateVcekCertificateProductSpecifics(r *trust.AMDRootCerts, cert *x509.C
 	if err := ValidateVcekCertIssuer(r, cert.Issuer); err != nil {
 		return err
 	}
-	fmt.Printf("now is %s\n", opts.Now.Format(time.RFC3339))
 	if _, err := cert.Verify(*r.X509Options(opts.Now)); err != nil {
 		return fmt.Errorf("error verifying VCEK certificate: %v (%v)", err, r.ProductCerts.Ask.IsCA)
 	}
 	// VCEK is not expected to have a CRL link.
 	return nil
 }
 
-// VcekDER checks that the VCEK certificate matches expected fields
+// decodeCerts checks that the VCEK certificate matches expected fields
 // from the KDS specification and also that its certificate chain matches
 // hardcoded trusted root certificates from AMD.
-func VcekDER(vcek []byte, ask []byte, ark []byte, options *Options) (*x509.Certificate, *trust.AMDRootCerts, error) {
-	vcekCert, err := x509.ParseCertificate(vcek)
+func decodeCerts(vcek []byte, ask []byte, ark []byte, options *Options) (*x509.Certificate, *trust.AMDRootCerts, error) {
+	vcekCert, err := trust.ParseCert(vcek)
 	if err != nil {
 		return nil, nil, fmt.Errorf("could not interpret VCEK DER bytes: %v", err)
 	}
@@ -412,7 +411,7 @@ func VcekDER(vcek []byte, ask []byte, ark []byte, options *Options) (*x509.Certi
 			AskSev: trust.DefaultRootCerts[product].AskSev,
 			ArkSev: trust.DefaultRootCerts[product].ArkSev,
 		}
-		if err := root.FromDER(ask, ark); err != nil {
+		if err := root.Decode(ask, ark); err != nil {
 			return nil, nil, err
 		}
 		if err := ValidateX509(root); err != nil {
@@ -539,7 +538,7 @@ func SnpAttestation(attestation *spb.Attestation, options *Options) error {
 		}
 	}
 	chain := attestation.GetCertificateChain()
-	vcek, root, err := VcekDER(chain.GetVcekCert(), chain.GetAskCert(), chain.GetArkCert(), options)
+	vcek, root, err := decodeCerts(chain.GetVcekCert(), chain.GetAskCert(), chain.GetArkCert(), options)
 	if err != nil {
 		return err
 	}

diff --git a/verify/verify_test.go b/verify/verify_test.go
@@ -20,6 +20,7 @@ import (
 	"crypto/x509/pkix"
 	_ "embed"
 	"encoding/asn1"
+	"encoding/pem"
 	"math/big"
 	"math/rand"
 	"os"
@@ -309,9 +310,10 @@ func TestKdsMetadataLogic(t *testing.T) {
 		if tc.wantErr != "" {
 			options = &Options{}
 		}
-		vcek, _, err := VcekDER(newSigner.Vcek.Raw, newSigner.Ask.Raw, newSigner.Ark.Raw, options)
+		vcekPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: newSigner.Vcek.Raw})
+		vcek, _, err := decodeCerts(vcekPem, newSigner.Ask.Raw, newSigner.Ark.Raw, options)
 		if !test.Match(err, tc.wantErr) {
-			t.Errorf("%s: VcekDER(...) = %+v, %v did not error as expected. Want %q", tc.name, vcek, err, tc.wantErr)
+			t.Errorf("%s: decodeCerts(...) = %+v, %v did not error as expected. Want %q", tc.name, vcek, err, tc.wantErr)
 		}
 	}
 }