fixup! Update internal/attestation/snp/validator.go

Co-authored-by: Tom Dohrmann <[email protected]>

cli/cmd/common.go

@@ -97,7 +97,7 @@ func validatorsFromManifest(m *manifest.Manifest, log *slog.Logger, hostData []b
 
 	var validators []atls.Validator
 	for _, opt := range opts {
-		validators = append(validators, snp.NewValidator(opt, [][]byte{hostData}, kdsGetter,
+		validators = append(validators, snp.NewValidator(opt, []manifest.HexString{manifest.NewHexString(hostData)}, kdsGetter,
 			logger.NewWithAttrs(logger.NewNamed(log, "validator"), map[string]string{"tee-type": "snp"}),
 		))
 	}

coordinator/internal/authority/credentials.go

@@ -15,6 +15,7 @@ import (
 	"github.com/edgelesssys/contrast/internal/atls"
 	"github.com/edgelesssys/contrast/internal/attestation/snp"
 	"github.com/edgelesssys/contrast/internal/logger"
+	"github.com/edgelesssys/contrast/internal/manifest"
 	"github.com/edgelesssys/contrast/internal/memstore"
 	"github.com/google/go-sev-guest/proto/sevsnp"
 	"github.com/prometheus/client_golang/prometheus"
@@ -77,9 +78,9 @@ func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.A
 		return nil, nil, fmt.Errorf("generating SNP validation options: %w", err)
 	}
 
-	var allowedHostDataEntries [][]byte
+	var allowedHostDataEntries []manifest.HexString
 	for entry := range state.Manifest.Policies {
-		allowedHostDataEntries = append(allowedHostDataEntries, []byte(entry))
+		allowedHostDataEntries = append(allowedHostDataEntries, entry)
 	}
 
 	var validators []atls.Validator

internal/attestation/snp/validator.go

@@ -13,6 +13,7 @@ import (
 	"slices"
 
 	"github.com/edgelesssys/contrast/internal/attestation/reportdata"
+	"github.com/edgelesssys/contrast/internal/manifest"
 	"github.com/edgelesssys/contrast/internal/oid"
 	"github.com/google/go-sev-guest/abi"
 	"github.com/google/go-sev-guest/proto/sevsnp"
@@ -26,7 +27,7 @@ import (
 // Validator validates attestation statements.
 type Validator struct {
 	opts                   *validate.Options
-	allowedHostDataEntries [][]byte // Allowed host data entries in the report. If any of these is present, the report is considered valid.
+	allowedHostDataEntries []manifest.HexString // Allowed host data entries in the report. If any of these is present, the report is considered valid.
 	callbackers            []validateCallbacker
 	kdsGetter              trust.HTTPSGetter
 	logger                 *slog.Logger
@@ -43,7 +44,7 @@ type validateCallbacker interface {
 }
 
 // NewValidator returns a new Validator.
-func NewValidator(opts *validate.Options, allowedHostDataEntries [][]byte,
+func NewValidator(opts *validate.Options, allowedHostDataEntries []manifest.HexString,
 	kdsGetter trust.HTTPSGetter, log *slog.Logger,
 ) *Validator {
 	return &Validator{
@@ -55,7 +56,7 @@ func NewValidator(opts *validate.Options, allowedHostDataEntries [][]byte,
 }
 
 // NewValidatorWithCallbacks returns a new Validator with callbacks.
-func NewValidatorWithCallbacks(opts *validate.Options, allowedHostDataEntries [][]byte, kdsGetter trust.HTTPSGetter,
+func NewValidatorWithCallbacks(opts *validate.Options, allowedHostDataEntries []manifest.HexString, kdsGetter trust.HTTPSGetter,
 	log *slog.Logger, attestationFailures prometheus.Counter, callbacks ...validateCallbacker,
 ) *Validator {
 	return &Validator{
@@ -126,14 +127,9 @@ func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte
 
 	// Validate the host data.
 
-	var foundMatch bool
-	for _, entry := range v.allowedHostDataEntries {
-		if slices.Equal(entry, attestation.Report.HostData) {
-			foundMatch = true
-			break
-		}
-	}
-	if !foundMatch {
+	if !slices.ContainsFunc(v.allowedHostDataEntries, func(entry manifest.HexString) bool {
+		return manifest.NewHexString(attestation.Report.HostData) == entry
+	}) {
 		return fmt.Errorf("host data not allowed (found: %v allowed: %v)", attestation.Report.HostData, v.allowedHostDataEntries)
 	}