Skip to content

Commit

Permalink
GetCrlAndCheckRoot: always verify CRL
Browse files Browse the repository at this point in the history 
Before, when an CRL was set in the TrustedRoot, it's CRL was not checked.
Since the CRL is only checked on retrieval, setting an CRL disabled the CRL
verification. So either the user needs to check the CRL manually before
setting it or let the library request the CRL again. The second options
breaks attestation when being strict about CRL verification and the KDS
is not available.

Change this to always verify the CRL when calling SnpAttestation.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
  • Loading branch information
@3u13r
3u13r committed Jan 28, 2025
1 parent f2a3d50 commit 5712b21
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions verify/verify.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,6 +301,9 @@ func GetCrlAndCheckRoot(r *trust.AMDRootCerts, opts *Options) (*x509.RevocationL
getter = trust.DefaultHTTPSGetter()
}
if r.CRL != nil && opts.Now.Before(r.CRL.NextUpdate) {
if err := verifyCRL(r); err != nil {
return nil, err
}
return r.CRL, nil
}
var errs error
Expand Down

0 comments on commit 5712b21

Please sign in to comment.