chore: insecure mode feature flag

Signed-off-by: Richard Zak <[email protected]>

Author: rjzak

Cargo.toml

@@ -46,6 +46,10 @@ rstest = { version = "0.16", default-features = false }
 sgx = { version = "0.6.0", default-features = false }
 testaso = { version = "0.1", default-features = false }
 
+[features]
+default = []
+insecure = []
+
 [profile.release]
 incremental = false
 codegen-units = 1

crates/sgx_validation/src/lib.rs

@@ -12,9 +12,12 @@ use std::fmt::Debug;
 use crate::config::Config;
 use anyhow::{bail, ensure, Result};
 use cryptography::const_oid::ObjectIdentifier;
+#[cfg(not(feature = "insecure"))]
 use cryptography::sha2::{Digest, Sha256};
 use cryptography::x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
-use der::{Decode, Encode};
+use der::Decode;
+#[cfg(not(feature = "insecure"))]
+use der::Encode;
 
 #[derive(Clone, Debug)]
 pub struct Sgx([Certificate<'static>; 1]);
@@ -44,7 +47,6 @@ impl Sgx {
         cri: &CertReqInfo<'_>,
         ext: &Extension<'_>,
         config: Option<&Config>,
-        dbg: bool,
     ) -> Result<bool> {
         ensure!(!ext.critical, "sgx extension cannot be critical");
 
@@ -82,7 +84,8 @@ impl Sgx {
             "sgx pck algorithm mismatch"
         );
 
-        if !dbg {
+        #[cfg(not(feature = "insecure"))]
+        {
             // Validate that the certification request came from an SGX enclave.
             let hash = Sha256::digest(cri.public_key.to_vec()?);
             ensure!(

crates/snp_validation/src/lib.rs

@@ -12,7 +12,9 @@ use cryptography::const_oid::db::rfc5912::ECDSA_WITH_SHA_384;
 use cryptography::const_oid::ObjectIdentifier;
 use cryptography::ext::TbsCertificateExt;
 use cryptography::sec1::pkcs8::AlgorithmIdentifier;
-use cryptography::sha2::{Digest, Sha384};
+#[cfg(not(feature = "insecure"))]
+use cryptography::sha2::Digest;
+use cryptography::sha2::Sha384;
 use cryptography::x509::ext::Extension;
 use cryptography::x509::{request::CertReqInfo, Certificate};
 use cryptography::x509::{PkiPath, TbsCertificate};
@@ -258,7 +260,6 @@ impl Snp {
         cri: &CertReqInfo<'_>,
         ext: &Extension<'_>,
         config: Option<&Config>,
-        dbg: bool,
     ) -> Result<bool> {
         ensure!(!ext.critical, "snp extension cannot be critical");
 
@@ -382,7 +383,8 @@ impl Snp {
 
         ensure!(report.body.vmpl == 0, "snp report vmpl field invalid value");
 
-        if !dbg {
+        #[cfg(not(feature = "insecure"))]
+        {
             // Validate that the certification request came from an SNP VM.
             let hash = Sha384::digest(cri.public_key.to_vec()?);
             ensure!(

src/kvm.rs

@@ -17,12 +17,7 @@ impl Kvm {
     pub(crate) const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.58270.1.1");
     pub(crate) const ATT: bool = true;
 
-    pub(crate) fn verify(
-        &self,
-        _cri: &CertReqInfo<'_>,
-        ext: &Extension<'_>,
-        dbg: bool,
-    ) -> Result<bool> {
+    pub(crate) fn verify(&self, _cri: &CertReqInfo<'_>, ext: &Extension<'_>) -> Result<bool> {
         if ext.critical {
             return Err(anyhow!("kvm extension cannot be critical"));
         }
@@ -31,10 +26,10 @@ impl Kvm {
             return Err(anyhow!("invalid kvm extension"));
         }
 
-        if !dbg {
-            return Err(anyhow!("steward not in debug mode"));
-        }
+        #[cfg(not(feature = "insecure"))]
+        return Err(anyhow!("steward not in debug mode"));
 
+        #[cfg(feature = "insecure")]
         Ok(true)
     }
 }