initdata: calculate digest based on raw string

Calculate initdata digest based on raw string rather than b64 Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
confidential-containers · Aug 7, 2024 · a59deed · a59deed
1 parent 54ab3b5
commit a59deed
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/src/cloud-api-adaptor/docs/initdata.md b/src/cloud-api-adaptor/docs/initdata.md
@@ -164,7 +164,7 @@ It also calculates the digest `/run/peerpod/initdata.digest` based on the `algor
 
 `/run/peerpod/initdata.digest` could be used by the TEE drivers.
 
-The digest can be calculated manually and set to attestation service policy before hand if needed. To calculate the digest, use a tool (for example some online sha tools) to calculate the hash value based on the initdata annotation string. The calculated sha384 is: `9a9118fe416a0460023e146e580fb31d2155a22ac8b111f9a480d3eb7c6de8048b5f648a2961170f45b689526048a09a` for above sample.
+The digest can be calculated manually and set to attestation service policy before hand if needed. To calculate the digest, use a tool (for example some online sha tools) to calculate the hash value based on the initdata raw string. The calculated sha384 is: `52af3178dd7ad4bf551e629b84b45bfd1fbe1434b980120267181ae3575ea20ca9013b8eadf31d27eed7ff2552d500ef` for above sample.
 
 ## TODO
 A large policy bodies that cannot be provisioned via IMDS user-data, the limitation depends on providers IMDS limitation. We need add checking and limitations according to test result future. 
diff --git a/src/cloud-api-adaptor/pkg/userdata/provision.go b/src/cloud-api-adaptor/pkg/userdata/provision.go
@@ -240,13 +240,13 @@ func extractInitdataAndHash(cfg *Config) error {
 	checksumStr := ""
 	switch initdata.Algorithm {
 	case "sha256":
-		hash := sha256.Sum256(dataBytes)
+		hash := sha256.Sum256(decodedBytes)
 		checksumStr = hex.EncodeToString(hash[:])
 	case "sha384":
-		hash := sha512.Sum384(dataBytes)
+		hash := sha512.Sum384(decodedBytes)
 		checksumStr = hex.EncodeToString(hash[:])
 	case "sha512":
-		hash := sha512.Sum512(dataBytes)
+		hash := sha512.Sum512(decodedBytes)
 		checksumStr = hex.EncodeToString(hash[:])
 	default:
 		return fmt.Errorf("Error creating initdata hash, the Algorithm %s not supported", initdata.Algorithm)

diff --git a/src/cloud-api-adaptor/pkg/userdata/provision_test.go b/src/cloud-api-adaptor/pkg/userdata/provision_test.go
@@ -157,7 +157,7 @@ default WaitProcessRequest := true
 default WriteStreamRequest := false
 `
 
-var testCheckSum = "9a9118fe416a0460023e146e580fb31d2155a22ac8b111f9a480d3eb7c6de8048b5f648a2961170f45b689526048a09a"
+var testCheckSum = "52af3178dd7ad4bf551e629b84b45bfd1fbe1434b980120267181ae3575ea20ca9013b8eadf31d27eed7ff2552d500ef"
 var cc_init_data = "YWxnb3JpdGhtID0gInNoYTM4NCIKdmVyc2lvbiA9ICIwLjEuMCIKCltkYXRhXQoiYWEudG9tbCIgPSAnJycKW3Rva2VuX2NvbmZpZ3NdClt0b2tlbl9jb25maWdzLmNvY29fYXNdCnVybCA9ICdodHRwOi8vMTI3LjAuMC4xOjgwODAnCgpbdG9rZW5fY29uZmlncy5rYnNdCnVybCA9ICdodHRwOi8vMTI3LjAuMC4xOjgwODAnCmNlcnQgPSAiIiIKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURsakNDQW42Z0F3SUJBZ0lVUi9VTmgxM0dGYW00ZW1nbHVkdHlwZS9TOUJJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdNQ0Zwb1pXcHBZVzVuTVJFd0R3WURWUVFIREFoSQpZVzVuZW1odmRURVJNQThHQTFVRUNnd0lRVUZUTFZSRlUxUXhGREFTQmdOVkJBc01DMFJsZG1Wc2IzQnRaVzUwCk1SY3dGUVlEVlFRRERBNUJRVk10VkVWVFZDMUlWRlJRVXpBZUZ3MHlOREF6TVRnd056QXpOVE5hRncweU5UQXoKTVRnd056QXpOVE5hTUhVeEN6QUpCZ05WQkFZVEFrTk9NUkV3RHdZRFZRUUlEQWhhYUdWcWFXRnVaekVSTUE4RwpBMVVFQnd3SVNHRnVaM3BvYjNVeEVUQVBCZ05WQkFvTUNFRkJVeTFVUlZOVU1SUXdFZ1lEVlFRTERBdEVaWFpsCmJHOXdiV1Z1ZERFWE1CVUdBMVVFQXd3T1FVRlRMVlJGVTFRdFNGUlVVRk13Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURmcDFhQnI2TGlOUkJsSlVjREdjQWJjVUNQRzZVenl3dFZJYzgrY29tUwpheS8vZ3d6MkFrRG1GVnZxd0k0YmRwL05VQ3dTQzZTaEh6eHNyQ0VpYWdSS3RBM2FmL2NrTTdoT2tiNFM2dS81CmV3SEhGY0w2WU9VcCtOT0g1L2RTTHJGSExqZXQwZHQ0TGt5TkJQZTdtS0F5Q0pYZmlYM3diMjV3SUJCMFRmYTAKcDVWb0t6d1dlRFFCeDdhWDhUS2JHNi9GWklpT1hHWmRsMjRER0FSaXFFM1hpZlg3REg5aVZaMlYyUkw5KzNXWQowNUdFVE5GUEt0Y3JOd1R5OFN0OC9Ic1dWeGpBekdGemY3NUxieXM5RmYzSk1Ec2c5elF6Z2NKSnpZV2lzeGxZCmczQ21uYkVOUDBlb0hTNFdqUWxUVXlZMG10bk93b2RvNFZkZjhaT2tVNHdKQWdNQkFBR2pIakFjTUJvR0ExVWQKRVFRVE1CR0NDV3h2WTJGc2FHOXpkSWNFZndBQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFLVzMyc3BpaQp0MkpCN0MxSXZZcEp3NW1RNWJoSWxsZEUwaUI1cndXdk5idURnUHJnZlRJNHhpWDVzdW1kSHcrUDIrR1U5S1hGCm5Xa0ZSWjlXLzI2eEZyVmdHSVMvYTA3YUk3eHJscDBPaisxdU85MVVoQ0wzSGhNRS8wdFBDNnoxaWFGZVpwOFkKVDF0TG5hZnFpR2lUaEZVZ3ZnNlBLdDg2ZW5YNjB2R2FUWTdzc2xSbGdiRHI5c0FpL05EU1M3VTFQdml1QzZ5bwp5Smk3QkRpUlN4N0tyTUdMc2NRK0FLS28yUkYxTUx6bEpNYTFrSVpmdktEQlhGelJkNjFLNUlqRFJRNEhRaHdYCkRZRWJRdm9aSWtVVGMxZ0JVV0RjQVVTNXp0YkpnOUxDYjlXVnR2VVRxVFAybEd1TnltT3Zkc3VYcStzQVpoOWIKTTlRYUMxbXpRL09TdGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiIiIgonJycKCiJjZGgudG9tbCIgID0gJycnCnNvY2tldCA9ICd1bml4Oi8vL3J1bi9jb25maWRlbnRpYWwtY29udGFpbmVycy9jZGguc29jaycKY3JlZGVudGlhbHMgPSBbXQoKW2tiY10KbmFtZSA9ICdjY19rYmMnCnVybCA9ICdodHRwOi8vMS4yLjMuNDo4MDgwJwprYnNfY2VydCA9ICIiIgotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRlREQ0NBdnVnQXdJQkFnSUJBREJHQmdrcWhraUc5dzBCQVFvd09hQVBNQTBHQ1dDR1NBRmxBd1FDQWdVQQpvUnd3R2dZSktvWklodmNOQVFFSU1BMEdDV0NHU0FGbEF3UUNBZ1VBb2dNQ0FUQ2pBd0lCQVRCN01SUXdFZ1lEClZRUUxEQXRGYm1kcGJtVmxjbWx1WnpFTE1Ba0dBMVVFQmhNQ1ZWTXhGREFTQmdOVkJBY01DMU5oYm5SaElFTnMKWVhKaE1Rc3dDUVlEVlFRSURBSkRRVEVmTUIwR0ExVUVDZ3dXUVdSMllXNWpaV1FnVFdsamNtOGdSR1YyYVdObApjekVTTUJBR0ExVUVBd3dKVTBWV0xVMXBiR0Z1TUI0WERUSXpNREV5TkRFM05UZ3lObG9YRFRNd01ERXlOREUzCk5UZ3lObG93ZWpFVU1CSUdBMVVFQ3d3TFJXNW5hVzVsWlhKcGJtY3hDekFKQmdOVkJBWVRBbFZUTVJRd0VnWUQKVlFRSERBdFRZVzUwWVNCRGJHRnlZVEVMTUFrR0ExVUVDQXdDUTBFeEh6QWRCZ05WQkFvTUZrRmtkbUZ1WTJWawpJRTFwWTNKdklFUmxkbWxqWlhNeEVUQVBCZ05WQkFNTUNGTkZWaTFXUTBWTE1IWXdFQVlIS29aSXpqMENBUVlGCks0RUVBQ0lEWWdBRXhtRzFaYnVvQVFLOTNVU1J5WlFjc3lvYmZiYUFFb0tFRUxmL2pLMzljT1ZKdDF0NHM4M1cKWE0zcnFJYlM3cUhVSFF3L0ZHeU92ZGFFVXM1K3d3eHBDV2ZEbm1KTUFRK2N0Z1pxZ0RFS2gxTnFsT3V1S2NLcQoyWUFXRTVjVEg3c0hvNElCRmpDQ0FSSXdFQVlKS3dZQkJBR2NlQUVCQkFNQ0FRQXdGd1lKS3dZQkJBR2NlQUVDCkJBb1dDRTFwYkdGdUxVSXdNQkVHQ2lzR0FRUUJuSGdCQXdFRUF3SUJBekFSQmdvckJnRUVBWng0QVFNQ0JBTUMKQVFBd0VRWUtLd1lCQkFHY2VBRURCQVFEQWdFQU1CRUdDaXNHQVFRQm5IZ0JBd1VFQXdJQkFEQVJCZ29yQmdFRQpBWng0QVFNR0JBTUNBUUF3RVFZS0t3WUJCQUdjZUFFREJ3UURBZ0VBTUJFR0Npc0dBUVFCbkhnQkF3TUVBd0lCCkNEQVJCZ29yQmdFRUFaeDRBUU1JQkFNQ0FYTXdUUVlKS3dZQkJBR2NlQUVFQkVERGhDZWpEVXg2K2RsdmVoVzUKY21tQ1dtVExkcUkxTC8xZEdCRmRpYTFIUDQ2TUM4MmFYWktHWVN1dFNxMzdSQ1lnV2p1ZVQrcUNNQkUxb1hEawpkMUpPTUVZR0NTcUdTSWIzRFFFQkNqQTVvQTh3RFFZSllJWklBV1VEQkFJQ0JRQ2hIREFhQmdrcWhraUc5dzBCCkFRZ3dEUVlKWUlaSUFXVURCQUlDQlFDaUF3SUJNS01EQWdFQkE0SUNBUUFDZ0NhaTl4OERBV3pYLzJJZWxOV20KaXR1RUJTaXE5QzllRG5CRWNrUVlpa0FoUGFzZmFnbm9XRkF0S3UvWldUS0hpK0JNYmhLd3N3QlM4VzBHMXl3aQpjVVdHbHppZ0k0dGR4eGYxWUJKeUNvVFNOc3NTYkttSWg1amVtQmZydklCbzF5RWQrZTU2WkpNZGhOOGUreFdVCmJ2b3ZVQzIvN0RsNzZmekFhQUNMU29yWlV2NVhQSndLWHdFT0hvN0ZJY1JFam9abitmS2pKVG5tZFhjZTBMRDYKOVJIcityK2NleUU3OWdtSzMxYkk5RFlpSm9MNExlR2RYWjNnTU9WRFIxT25Eb3M1bE9CY1YrcXVKNkp1anBnSApkOWczU2E3RHU3cHVzRDlGZGFwOThvY1pzbFJmRmpGaS8vMllkVk00TUticTZJd3BZTkIrMlBDRUtOQzdTZmJPCk5nWllKdVBabk0vd1ZpRVMvY1A3TVpOSjFLVUtCSTl5aDZUbWxTc1paT2NsR0p2ck9zQlppbVRYcEFUamROTXQKY2x1S3dxQVVVellRbVU3YmYyVE1kT1h5QTlpSDV3SXBqMWtXR0UxVnVGQURUS0lMa1RjNkx6THpPV0NvZkx4ZgpvbmhUdFNEdHpJdi91ZWw1NDdHWnFxK3JWUnZtSWllRXVFdkRFVHd1b29rZlY2cXUzRC85S3VTcjl4aXpubUVnCnh5bnVkL2Y1MjVqcHBKTWNEL29mYlF4VVp1R0t2YjNmM3p5K2FMeHFpZG9YN2djYTJYZDlqeVV5NVkvODMrWk4KYno0UFp4ODFVSnpYVkk5QUJFaDgveGlsQVRoMVp4T2VQVEJKak43bGdyMGxYdEtZalYvNDN5eXhnVVlyWE5aUwpvTFNHMmRMQ0s5bWpqcmFQamF1MzRRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoiIiIKJycnCgoicG9saWN5LnJlZ28iID0gJycnCnBhY2thZ2UgYWdlbnRfcG9saWN5CgppbXBvcnQgZnV0dXJlLmtleXdvcmRzLmluCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKCmltcG9ydCBpbnB1dAoKIyBEZWZhdWx0IHZhbHVlcywgcmV0dXJuZWQgYnkgT1BBIHdoZW4gcnVsZXMgY2Fubm90IGJlIGV2YWx1YXRlZCB0byB0cnVlLgpkZWZhdWx0IENvcHlGaWxlUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBDcmVhdGVTYW5kYm94UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgRGVzdHJveVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBFeGVjUHJvY2Vzc1JlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IE9ubGluZUNQVU1lbVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFB1bGxJbWFnZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFJlYWRTdHJlYW1SZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgUmVtb3ZlQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlU3RhbGVWaXJ0aW9mc1NoYXJlTW91bnRzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2lnbmFsUHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0Q29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RhdHNDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBUdHlXaW5SZXNpemVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSBmYWxzZQonJyc="
 
 // Test server to simulate the metadata service