chore: insecure mode feature flag

Signed-off-by: Richard Zak <[email protected]>

Author: rjzak

Cargo.toml

@@ -50,6 +50,10 @@ memoffset = { version = "0.7.1", default-features = false }
 rstest = { version = "0.15", default-features = false }
 testaso = { version = "0.1", default-features = false }
 
+[features]
+default = []
+insecure = []
+
 [profile.release]
 incremental = false
 codegen-units = 1

src/ext/kvm.rs

@@ -19,7 +19,7 @@ impl ExtVerifier for Kvm {
     const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.58270.1.1");
     const ATT: bool = true;
 
-    fn verify(&self, _cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: bool) -> Result<bool> {
+    fn verify(&self, _cri: &CertReqInfo<'_>, ext: &Extension<'_>) -> Result<bool> {
         if ext.critical {
             return Err(anyhow!("kvm extension cannot be critical"));
         }
@@ -28,10 +28,10 @@ impl ExtVerifier for Kvm {
             return Err(anyhow!("invalid kvm extension"));
         }
 
-        if !dbg {
-            return Err(anyhow!("steward not in debug mode"));
-        }
+        #[cfg(not(feature = "insecure"))]
+        return Err(anyhow!("steward not in debug mode"));
 
+        #[cfg(feature = "insecure")]
         Ok(true)
     }
 }

src/ext/mod.rs

@@ -28,5 +28,5 @@ pub trait ExtVerifier {
     /// certificate. Returning `Ok(false)` will allow the certification request
     /// to continue, but this particular extension will not be included
     /// in the resulting certificate.
-    fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: bool) -> Result<bool>;
+    fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>) -> Result<bool>;
 }

src/ext/sgx/mod.rs

@@ -11,8 +11,12 @@ use std::fmt::Debug;
 
 use anyhow::{anyhow, Result};
 use const_oid::ObjectIdentifier;
-use der::{Decode, Encode};
+use der::Decode;
+#[cfg(not(feature = "insecure"))]
+use der::Encode;
+#[cfg(not(feature = "insecure"))]
 use sgx::parameters::{Attributes, MiscSelect};
+#[cfg(not(feature = "insecure"))]
 use sha2::{Digest, Sha256};
 use x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
 
@@ -42,7 +46,7 @@ impl ExtVerifier for Sgx {
     const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.58270.1.2");
     const ATT: bool = true;
 
-    fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: bool) -> Result<bool> {
+    fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>) -> Result<bool> {
         if ext.critical {
             return Err(anyhow!("sgx extension cannot be critical"));
         }
@@ -62,7 +66,8 @@ impl ExtVerifier for Sgx {
 
         // Validate the report.
         let pck = self.trusted(&chain)?;
-        let rpt = quote.verify(pck)?;
+        #[cfg(feature = "insecure")]
+        quote.verify(pck)?;
 
         // Force certs to have the same key type as the PCK.
         //
@@ -82,7 +87,10 @@ impl ExtVerifier for Sgx {
             return Err(anyhow!("sgx pck algorithm mismatch"));
         }
 
-        if !dbg {
+        #[cfg(not(feature = "insecure"))]
+        {
+            let rpt = quote.verify(pck)?;
+
             // TODO: Validate that the certification request came from an SGX enclave.
             let hash = Sha256::digest(&cri.public_key.to_vec()?);
             if hash.as_slice() != &rpt.reportdata[..hash.as_slice().len()] {

src/ext/snp/mod.rs

@@ -13,6 +13,7 @@ use der::asn1::UIntRef;
 use der::{Decode, Encode, Sequence};
 use flagset::{flags, FlagSet};
 use sec1::pkcs8::AlgorithmIdentifier;
+#[cfg(not(feature = "insecure"))]
 use sha2::Digest;
 use x509::ext::Extension;
 use x509::{request::CertReqInfo, Certificate};
@@ -241,7 +242,7 @@ impl ExtVerifier for Snp {
     const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.58270.1.3");
     const ATT: bool = true;
 
-    fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: bool) -> Result<bool> {
+    fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>) -> Result<bool> {
         if ext.critical {
             return Err(anyhow!("snp extension cannot be critical"));
         }
@@ -372,7 +373,8 @@ impl ExtVerifier for Snp {
             }
         }
 
-        if !dbg {
+        #[cfg(not(feature = "insecure"))]
+        {
             // Validate that the certification request came from an SNP VM.
             let hash = sha2::Sha384::digest(&cri.public_key.to_vec()?);
             if hash.as_slice() != &report.body.report_data[..hash.as_slice().len()] {