skip cert chain verification for now on key route (#119)

* skip cert chain verification for now on key route * make root cert not optional
capeprivacy · Feb 17, 2023 · 301de1a · 301de1a
1 parent 2026513
commit 301de1a
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/pycape/_attestation.py b/pycape/_attestation.py
@@ -46,7 +46,10 @@ def parse_attestation(attestation, root_cert):
     logger.debug("* Attestation document parsed.")
 
     verify_attestation_signature(attestation, doc_cert)
-    verify_cert_chain(root_cert, cabundle, doc_cert)
+
+    if root_cert is not None:
+        verify_cert_chain(root_cert, cabundle, doc_cert)
+
     return doc
 
 

diff --git a/pycape/cape.py b/pycape/cape.py
@@ -565,10 +565,7 @@ async def _request_key_with_username(
                 f"Bad response from '/v1/user/{username}/key' route, expected "
                 f"attestation_document key-value: {response}."
             )
-        root_cert = self._root_cert or attest.download_root_cert()
-        attestation_doc = attest.parse_attestation(
-            base64.b64decode(adoc_blob), root_cert
-        )
+        attestation_doc = attest.parse_attestation(base64.b64decode(adoc_blob), None)
         if pcrs is not None:
             attest.verify_pcrs(pcrs, attestation_doc)