Fix ekcert checking

[arianvp]

Fixes #19

[arianvp]

@kfox1111 care to have a look? Without this golang fails to validate spec-compliant EKCerts

[kfox1111]

Thanks for working on this. Sorry for the delay. Some questions inline

[kfox1111]

Dead code?

[arianvp]

oh no I think we should throw an error here if it's not this key usage. Let me add that.

[arianvp]

To solve this correctly in a way that is forwards and backwards compatible we need golang/go#75325

Otherwise, if golang ever starts accepting this OID in the standard library, this code will break.

Luckily this just landed in Go 1.26

How aggressive is SPIRE with adopting new go versions? If we are fine with requiring Go 1.26,I can make the check. Otherwise I suggest we remove this code completely and file an issue to improve this later

[arianvp]

go 1.26 lands in February btw

[arianvp]

after further reading the spec; the field is not critical and also not mandatory. it's marked as Extended Key Usage ExtKeyUsageSyntax tcg-kp-EKCertificate MAY non-critical

So I think I'm going to leave it out for now. As there might be EK Certs in the wild that do not have the field.

https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-for-TPM-Family-2.0-Level-0-Version-2.6_pub.pdf

[arianvp]

Oh look at this: Merged a few days ago: google/go-attestation#471 🥳

[arianvp]

Hmm any idea why CI is not triggering on my PR?

[kfox1111]

Hmm any idea why CI is not triggering on my PR?

hmm... offhand, no. It looks to me like it should work... will try and dig in soon.

[torfjor]

Friendly bump 👋. Would be nice to have this upstream!

[kfox1111]

Thanks for the reminder. will have a look

[kfox1111]

Looks like the only thing outstanding is a fix for the deadcode/exception handling.

[arianvp]

I'll fix this tomorrow.

[arianvp]

This is the (unreleased) commit that implements exactly what we want. google/go-attestation@5514d09

[kfox1111]

LGTM. Thanks! :)

[kfox1111]

Some testing failures

[arianvp]

I've been trying to get the test suite working locally but it seems incompatible with openssl 3 and my distro doesn't ship anything else...

[arianvp]

Okay I'll try to get this fixed. :)

[arianvp]

Ah seems CI is running in ubuntu 20.04 which is not even supported anymore. Seems there is quite a bit of work to clean this up. I doubt the test suite even passes on master on newer versions at the moment

[kfox1111]

quite possible. The tests were inherited from ages ago.

[arianvp]

I commited fixes and ran the tests locally on NixOS and they pass. I naively bumped the CI dockerfile to 24.04 in the hope that that fixes it in CI too

[wagdav]

I looked into the build errors and I left some suggestions to fix it. Hope it helps to get this merged!

[arianvp]

The whole ci seems to be a mess frankly. Giving another shot to clean it up with your suggestions but I have very little tolerance having to deal with docker so if it doesn't work I'll offer switching to Nix for CI or someone else will have to push this PR over the finish line. I'm fine with just pointing my stuff to this branch. The code is working fine for me and all the tests pass 🤷

[arianvp]

I installed podman and podman-compose now but I just get permission denied errors etc. I give up. Someone else can try and fix this.

Though offer to dump all this docker-compose stuff for doing this with nix still stands :)

[wagdav]

@arianvp Using Docker Desktop on Mac, I could build the CI image with your latest changes. The GitHub Actions is now waiting for a maintainer's approval to run.

🤞 🍀

[kfox1111]

I was never involved in the tests, so I'm shooting a little blind there, but it looks ok to me.

[kfox1111]

LGTM. Thanks! :)

[arianvp]

Wooohooo!