flashbots · metachris · Nov 18, 2024 · Nov 15, 2024 · Nov 15, 2024
diff --git a/internal/attestation/attestation.go b/internal/attestation/attestation.go
@@ -45,13 +45,17 @@ const (
 
 // Logger is a logger used to print warnings and infos during attestation validation.
 type Logger interface {
+	Debug(msg string, args ...any)
 	Info(msg string, args ...any)
 	Warn(msg string, args ...any)
 }
 
 // NOPLogger is a no-op implementation of [Logger].
 type NOPLogger struct{}
 
+// Debug is a no-op.
+func (NOPLogger) Debug(string, ...interface{}) {}
+
 // Info is a no-op.
 func (NOPLogger) Info(string, ...interface{}) {}
 

diff --git a/internal/attestation/azure/snp/validator.go b/internal/attestation/azure/snp/validator.go
@@ -223,15 +223,6 @@ func (v *Validator) checkIDKeyDigest(ctx context.Context, report *spb.Attestatio
 	return nil
 }
 
-// nopAttestationLogger is a no-op implementation of AttestationLogger.
-type nopAttestationLogger struct{}
-
-// Infof is a no-op.
-func (nopAttestationLogger) Info(string, ...interface{}) {}
-
-// Warnf is a no-op.
-func (nopAttestationLogger) Warn(string, ...interface{}) {}
-
 type maaValidator interface {
 	validateToken(ctx context.Context, maaURL string, token string, extraData []byte) error
 }

diff --git a/internal/attestation/vtpm/attestation.go b/internal/attestation/vtpm/attestation.go
@@ -224,7 +224,7 @@ func (v *Validator) Validate(ctx context.Context, attDocRaw []byte, nonce []byte
 	if err := json.Unmarshal(attDocRaw, &attDoc); err != nil {
 		return nil, fmt.Errorf("unmarshaling TPM attestation document: %w", err)
 	}
-	v.log.Warn(fmt.Sprintf("Attestation document: %s", string(attDocRaw)))
+	v.log.Debug(fmt.Sprintf("Attestation document: %s", string(attDocRaw)))
 
 	extraData := attestation.MakeExtraData(attDoc.UserData, nonce)
 

diff --git a/internal/attestation/vtpm/attestation_test.go b/internal/attestation/vtpm/attestation_test.go
@@ -478,13 +478,18 @@ func TestGetSelectedMeasurements(t *testing.T) {
 
 type testAttestationLogger struct {
 	infos    []string
+	debugs   []string
 	warnings []string
 }
 
 func (w *testAttestationLogger) Info(format string, args ...any) {
 	w.infos = append(w.infos, fmt.Sprintf(format, args...))
 }
 
+func (w *testAttestationLogger) Debug(format string, args ...any) {
+	w.debugs = append(w.debugs, fmt.Sprintf(format, args...))
+}
+
 func (w *testAttestationLogger) Warn(format string, args ...any) {
 	w.warnings = append(w.warnings, fmt.Sprintf(format, args...))
 }
diff --git a/proxy/atls_config.go b/proxy/atls_config.go
@@ -12,11 +12,11 @@ import (
 
 	"github.com/flashbots/cvm-reverse-proxy/internal/atls"
 	azure_tdx "github.com/flashbots/cvm-reverse-proxy/internal/attestation/azure/tdx"
-	dcap_tdx "github.com/flashbots/cvm-reverse-proxy/tdx"
 	"github.com/flashbots/cvm-reverse-proxy/internal/attestation/measurements"
 	"github.com/flashbots/cvm-reverse-proxy/internal/attestation/variant"
 	"github.com/flashbots/cvm-reverse-proxy/internal/cloud/cloudprovider"
 	"github.com/flashbots/cvm-reverse-proxy/internal/config"
+	dcap_tdx "github.com/flashbots/cvm-reverse-proxy/tdx"
 )
 
 type AttestationType string
@@ -120,6 +120,10 @@ func (w AttestationLogger) Info(format string, args ...any) {
 	w.Log.Log(context.TODO(), slog.LevelInfo, fmt.Sprintf(format, args...))
 }
 
+func (w AttestationLogger) Debug(format string, args ...any) {
+	w.Log.Log(context.TODO(), slog.LevelDebug, fmt.Sprintf(format, args...))
+}
+
 func (w AttestationLogger) Warn(format string, args ...any) {
 	w.Log.Log(context.TODO(), slog.LevelWarn, fmt.Sprintf(format, args...))
 }
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -2,6 +2,7 @@ package proxy
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/hex"
@@ -108,12 +109,12 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	p.log.With("duration", duration).Info("[proxy-request] proxying complete")
 }
 
-func (p *Proxy) getMeasurementsFromTLS(conn *tls.ConnectionState) (atlsVariant variant.Variant, measurements map[uint32][]byte, err error) {
+func GetMeasurementsFromTLS(certs []*x509.Certificate, validatorOIDs []asn1.ObjectIdentifier) (atlsVariant variant.Variant, measurements map[uint32][]byte, err error) {
 	// In verifyEmbeddedReport which is used to validate the extensions, only the first matching extension is validated! Refuse to accept multiple
 	var ATLSExtension *pkix.Extension = nil
-	for _, cert := range conn.PeerCertificates {
+	for _, cert := range certs {
 		for _, ext := range cert.Extensions {
-			for _, validatorOID := range p.validatorOIDs {
+			for _, validatorOID := range validatorOIDs {
 				if ext.Id.Equal(validatorOID) {
 					if ATLSExtension != nil {
 						return nil, nil, errors.New("more than one ATLS extension provided, refusing to continue")
@@ -142,7 +143,8 @@ func (p *Proxy) getMeasurementsFromTLS(conn *tls.ConnectionState) (atlsVariant v
 }
 
 func (p *Proxy) copyMeasurementsToHeader(conn *tls.ConnectionState, header *http.Header) (int, error) {
-	atlsVariant, extractedMeasurements, err := p.getMeasurementsFromTLS(conn)
+	certs := conn.PeerCertificates
+	atlsVariant, extractedMeasurements, err := GetMeasurementsFromTLS(certs, p.validatorOIDs)
 	if err != nil {
 		return http.StatusTeapot, err
 	} else if extractedMeasurements == nil {