From 4b8582fb4f7786f76277f7ade57ac79801d88700 Mon Sep 17 00:00:00 2001
From: Jilks Smith <smithjilks@gmail.com>
Date: Tue, 9 Jul 2024 08:13:31 +0300
Subject: [PATCH 1/7] Enable mTLS when using aTLS

---
 go.mod                       |  13 ++++
 internal/server/grpc/grpc.go | 114 ++++++++++++++++++++++-------------
 pkg/clients/grpc/connect.go  |  93 ++++++++++++++++++++--------
 3 files changed, 153 insertions(+), 67 deletions(-)

diff --git a/go.mod b/go.mod
index d3644d10..4a6c89f0 100644
--- a/go.mod
+++ b/go.mod
@@ -21,6 +21,15 @@ require (
 	golang.org/x/sync v0.7.0
 	google.golang.org/grpc v1.65.0
 	google.golang.org/protobuf v1.34.2
+	github.com/stretchr/testify v1.8.4
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1
+	go.opentelemetry.io/otel v1.21.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0
+	go.opentelemetry.io/otel/sdk v1.21.0
+	go.opentelemetry.io/otel/trace v1.21.0
+	golang.org/x/sync v0.6.0
+	google.golang.org/grpc v1.60.1
 )
 
 require (
@@ -49,6 +58,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/docker/docker v27.1.0+incompatible
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
@@ -71,6 +81,8 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	github.com/stretchr/objx v0.5.1 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
@@ -79,6 +91,7 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	golang.org/x/net v0.20.0 // indirect
 )
 
 replace github.com/virtee/sev-snp-measure-go => github.com/sammyoina/sev-snp-measure-go v0.0.0-20240918192515-70b6b9542aa5
diff --git a/internal/server/grpc/grpc.go b/internal/server/grpc/grpc.go
index 4f9df0f3..533299eb 100644
--- a/internal/server/grpc/grpc.go
+++ b/internal/server/grpc/grpc.go
@@ -92,8 +92,8 @@ func (s *Server) Start() error {
 	creds := grpc.Creds(insecure.NewCredentials())
 
 	switch {
-	case s.Config.AttestedTLS:
-		certificateBytes, privateKeyBytes, err := generateCertificatesForATLS(s.quoteProvider)
+	case s.Config.AttestedTLS && s.Config.CertFile != "" && s.Config.KeyFile != "":
+		certificateBytes, privateKeyBytes, err := generateCertificatesForATLS(s.agent)
 		if err != nil {
 			return fmt.Errorf("failed to create certificate: %w", err)
 		}
@@ -103,60 +103,40 @@ func (s *Server) Start() error {
 			return fmt.Errorf("falied due to invalid key pair: %w", err)
 		}
 
-		tlsConfig := &tls.Config{
-			ClientAuth:   tls.NoClientCert,
-			Certificates: []tls.Certificate{certificate},
+		tlsConfig, err := s.setupTLSConfig()
+		if err != nil {
+			return err
 		}
 
+		tlsConfig.Certificates = append(tlsConfig.Certificates, certificate)
 		creds = grpc.Creds(credentials.NewTLS(tlsConfig))
 		s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with Attested TLS", s.Name, s.Address))
-	case s.Config.CertFile != "" || s.Config.KeyFile != "":
-		certificate, err := loadX509KeyPair(s.Config.CertFile, s.Config.KeyFile)
+
+	case s.Config.AttestedTLS:
+		certificateBytes, privateKeyBytes, err := generateCertificatesForATLS(s.quoteProvider)
 		if err != nil {
-			return fmt.Errorf("failed to load auth certificates: %w", err)
-		}
-		tlsConfig := &tls.Config{
-			ClientAuth:   tls.RequireAndVerifyClientCert,
-			Certificates: []tls.Certificate{certificate},
+			return fmt.Errorf("failed to create certificate: %w", err)
 		}
 
-		var mtlsCA string
-		// Loading Server CA file
-		rootCA, err := loadCertFile(s.Config.ServerCAFile)
+		certificate, err := tls.X509KeyPair(certificateBytes, privateKeyBytes)
 		if err != nil {
-			return fmt.Errorf("failed to load root ca file: %w", err)
+			return fmt.Errorf("falied due to invalid key pair: %w", err)
 		}
-		if len(rootCA) > 0 {
-			if tlsConfig.RootCAs == nil {
-				tlsConfig.RootCAs = x509.NewCertPool()
-			}
-			if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCA) {
-				return fmt.Errorf("failed to append root ca to tls.Config")
-			}
-			mtlsCA = fmt.Sprintf("root ca %s", s.Config.ServerCAFile)
+
+		tlsConfig := &tls.Config{
+			ClientAuth:   tls.NoClientCert,
+			Certificates: []tls.Certificate{certificate},
 		}
 
-		// Loading Client CA File
-		clientCA, err := loadCertFile(s.Config.ClientCAFile)
+		creds = grpc.Creds(credentials.NewTLS(tlsConfig))
+		s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with Attested TLS", s.Name, s.Address))
+	case s.Config.CertFile != "" && s.Config.KeyFile != "":
+		tlsConfig, err := s.setupTLSConfig()
 		if err != nil {
-			return fmt.Errorf("failed to load client ca file: %w", err)
-		}
-		if len(clientCA) > 0 {
-			if tlsConfig.ClientCAs == nil {
-				tlsConfig.ClientCAs = x509.NewCertPool()
-			}
-			if !tlsConfig.ClientCAs.AppendCertsFromPEM(clientCA) {
-				return fmt.Errorf("failed to append client ca to tls.Config")
-			}
-			mtlsCA = fmt.Sprintf("%s client ca %s", mtlsCA, s.Config.ClientCAFile)
+			return err
 		}
 		creds = grpc.Creds(credentials.NewTLS(tlsConfig))
-		switch {
-		case mtlsCA != "":
-			s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with TLS/mTLS cert %s , key %s and %s", s.Name, s.Address, s.Config.CertFile, s.Config.KeyFile, mtlsCA))
-		default:
-			s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with TLS cert %s and key %s", s.Name, s.Address, s.Config.CertFile, s.Config.KeyFile))
-		}
+
 	default:
 		s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s without TLS", s.Name, s.Address))
 	}
@@ -292,3 +272,53 @@ func generateCertificatesForATLS(qp client.QuoteProvider) ([]byte, []byte, error
 
 	return certBytes, keyBytes, nil
 }
+
+func (s *Server) setupTLSConfig() (*tls.Config, error) {
+	certificate, err := loadX509KeyPair(s.Config.CertFile, s.Config.KeyFile)
+	if err != nil {
+		return &tls.Config{}, fmt.Errorf("failed to load auth certificates: %w", err)
+	}
+	tlsConfig := &tls.Config{
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		Certificates: []tls.Certificate{certificate},
+	}
+
+	var mtlsCA string
+	// Loading Server CA file
+	rootCA, err := loadCertFile(s.Config.ServerCAFile)
+	if err != nil {
+		return &tls.Config{}, fmt.Errorf("failed to load root ca file: %w", err)
+	}
+	if len(rootCA) > 0 {
+		if tlsConfig.RootCAs == nil {
+			tlsConfig.RootCAs = x509.NewCertPool()
+		}
+		if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCA) {
+			return &tls.Config{}, fmt.Errorf("failed to append root ca to tls.Config")
+		}
+		mtlsCA = fmt.Sprintf("root ca %s", s.Config.ServerCAFile)
+	}
+
+	// Loading Client CA File
+	clientCA, err := loadCertFile(s.Config.ClientCAFile)
+	if err != nil {
+		return &tls.Config{}, fmt.Errorf("failed to load client ca file: %w", err)
+	}
+	if len(clientCA) > 0 {
+		if tlsConfig.ClientCAs == nil {
+			tlsConfig.ClientCAs = x509.NewCertPool()
+		}
+		if !tlsConfig.ClientCAs.AppendCertsFromPEM(clientCA) {
+			return &tls.Config{}, fmt.Errorf("failed to append client ca to tls.Config")
+		}
+		mtlsCA = fmt.Sprintf("%s client ca %s", mtlsCA, s.Config.ClientCAFile)
+	}
+	switch {
+	case mtlsCA != "":
+		s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with TLS/mTLS cert %s , key %s and %s", s.Name, s.Address, s.Config.CertFile, s.Config.KeyFile, mtlsCA))
+	default:
+		s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with TLS cert %s and key %s", s.Name, s.Address, s.Config.CertFile, s.Config.KeyFile))
+	}
+
+	return tlsConfig, nil
+}
diff --git a/pkg/clients/grpc/connect.go b/pkg/clients/grpc/connect.go
index c3407cdc..40f4ac16 100644
--- a/pkg/clients/grpc/connect.go
+++ b/pkg/clients/grpc/connect.go
@@ -32,6 +32,8 @@ const (
 	withoutTLS security = iota
 	withTLS
 	withmTLS
+	withaTLS
+	withmaTLS
 )
 
 const (
@@ -122,6 +124,10 @@ func (c *client) Secure() string {
 		return "with TLS"
 	case withmTLS:
 		return "with mTLS"
+	case withmaTLS:
+		return "with maTLS"
+	case withaTLS:
+		return "with mTLS"
 	case withoutTLS:
 		fallthrough
 	default:
@@ -141,7 +147,8 @@ func connect(cfg Config) (*grpc.ClientConn, security, error) {
 	secure := withoutTLS
 	tc := insecure.NewCredentials()
 
-	if cfg.AttestedTLS {
+	switch {
+	case cfg.AttestedTLS && cfg.ServerCAFile != "":
 		err := ReadManifest(cfg.Manifest, &attestationConfiguration)
 		if err != nil {
 			return nil, secure, fmt.Errorf("failed to read Manifest %w", err)
@@ -151,37 +158,73 @@ func connect(cfg Config) (*grpc.ClientConn, security, error) {
 			InsecureSkipVerify:    true,
 			VerifyPeerCertificate: verifyAttestationReportTLS,
 		}
-		tc = credentials.NewTLS(tlsConfig)
-	} else {
-		if cfg.ServerCAFile != "" {
-			tlsConfig := &tls.Config{}
 
-			// Loading root ca certificates file
-			rootCA, err := os.ReadFile(cfg.ServerCAFile)
-			if err != nil {
-				return nil, secure, fmt.Errorf("failed to load root ca file: %w", err)
+		// Loading root ca certificates file
+		rootCA, err := os.ReadFile(cfg.ServerCAFile)
+		if err != nil {
+			return nil, secure, fmt.Errorf("failed to load root ca file: %w", err)
+		}
+		if len(rootCA) > 0 {
+			capool := x509.NewCertPool()
+			if !capool.AppendCertsFromPEM(rootCA) {
+				return nil, secure, fmt.Errorf("failed to append root ca to tls.Config")
 			}
-			if len(rootCA) > 0 {
-				capool := x509.NewCertPool()
-				if !capool.AppendCertsFromPEM(rootCA) {
-					return nil, secure, fmt.Errorf("failed to append root ca to tls.Config")
-				}
-				tlsConfig.RootCAs = capool
-				secure = withTLS
+			tlsConfig.RootCAs = capool
+			secure = withaTLS
+		}
+
+		// Loading mTLS certificates file
+		if cfg.ClientCert != "" || cfg.ClientKey != "" {
+			certificate, err := tls.LoadX509KeyPair(cfg.ClientCert, cfg.ClientKey)
+			if err != nil {
+				return nil, secure, fmt.Errorf("failed to client certificate and key %w", err)
 			}
+			tlsConfig.Certificates = []tls.Certificate{certificate}
+			secure = withmaTLS
+		}
+
+		tc = credentials.NewTLS(tlsConfig)
+
+	case cfg.AttestedTLS:
+		err := ReadManifest(cfg.Manifest, &attestationConfiguration)
+		if err != nil {
+			return nil, secure, fmt.Errorf("failed to read Manifest %w", err)
+		}
+
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify:    true,
+			VerifyPeerCertificate: verifyAttestationReportTLS,
+		}
+		tc = credentials.NewTLS(tlsConfig)
+
+	case cfg.ServerCAFile != "":
+		tlsConfig := &tls.Config{}
 
-			// Loading mTLS certificates file
-			if cfg.ClientCert != "" || cfg.ClientKey != "" {
-				certificate, err := tls.LoadX509KeyPair(cfg.ClientCert, cfg.ClientKey)
-				if err != nil {
-					return nil, secure, fmt.Errorf("failed to client certificate and key %w", err)
-				}
-				tlsConfig.Certificates = []tls.Certificate{certificate}
-				secure = withmTLS
+		// Loading root ca certificates file
+		rootCA, err := os.ReadFile(cfg.ServerCAFile)
+		if err != nil {
+			return nil, secure, fmt.Errorf("failed to load root ca file: %w", err)
+		}
+		if len(rootCA) > 0 {
+			capool := x509.NewCertPool()
+			if !capool.AppendCertsFromPEM(rootCA) {
+				return nil, secure, fmt.Errorf("failed to append root ca to tls.Config")
 			}
+			tlsConfig.RootCAs = capool
+			secure = withTLS
+		}
 
-			tc = credentials.NewTLS(tlsConfig)
+		// Loading mTLS certificates file
+		if cfg.ClientCert != "" && cfg.ClientKey != "" {
+			certificate, err := tls.LoadX509KeyPair(cfg.ClientCert, cfg.ClientKey)
+			if err != nil {
+				return nil, secure, fmt.Errorf("failed to load client certificate and key %w", err)
+			}
+			tlsConfig.Certificates = []tls.Certificate{certificate}
+			secure = withmTLS
 		}
+		tc = credentials.NewTLS(tlsConfig)
+	default:
 	}
 
 	opts = append(opts, grpc.WithTransportCredentials(tc))

From 805fc1bbb36724c0c791a48b176f645ae9db1486 Mon Sep 17 00:00:00 2001
From: Jilks Smith <smithjilks@gmail.com>
Date: Fri, 12 Jul 2024 00:53:40 +0300
Subject: [PATCH 2/7] Update go mod

---
 go.mod | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/go.mod b/go.mod
index 4a6c89f0..8edd74e8 100644
--- a/go.mod
+++ b/go.mod
@@ -21,15 +21,6 @@ require (
 	golang.org/x/sync v0.7.0
 	google.golang.org/grpc v1.65.0
 	google.golang.org/protobuf v1.34.2
-	github.com/stretchr/testify v1.8.4
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1
-	go.opentelemetry.io/otel v1.21.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0
-	go.opentelemetry.io/otel/sdk v1.21.0
-	go.opentelemetry.io/otel/trace v1.21.0
-	golang.org/x/sync v0.6.0
-	google.golang.org/grpc v1.60.1
 )
 
 require (
@@ -81,8 +72,6 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
-	github.com/stretchr/objx v0.5.1 // indirect
-	go.opentelemetry.io/otel/metric v1.21.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
@@ -91,7 +80,6 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	golang.org/x/net v0.20.0 // indirect
 )
 
 replace github.com/virtee/sev-snp-measure-go => github.com/sammyoina/sev-snp-measure-go v0.0.0-20240918192515-70b6b9542aa5

From dfb33f29f9e94b25b6e7ab5c07fead3e4ac44c91 Mon Sep 17 00:00:00 2001
From: Jilks Smith <smithjilks@gmail.com>
Date: Thu, 1 Aug 2024 11:21:14 +0300
Subject: [PATCH 3/7] Remove logging of tls/mtls cert info.

---
 internal/server/grpc/grpc.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/server/grpc/grpc.go b/internal/server/grpc/grpc.go
index 533299eb..b370d922 100644
--- a/internal/server/grpc/grpc.go
+++ b/internal/server/grpc/grpc.go
@@ -315,9 +315,9 @@ func (s *Server) setupTLSConfig() (*tls.Config, error) {
 	}
 	switch {
 	case mtlsCA != "":
-		s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with TLS/mTLS cert %s , key %s and %s", s.Name, s.Address, s.Config.CertFile, s.Config.KeyFile, mtlsCA))
+		s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with TLS/mTLS", s.Name, s.Address))
 	default:
-		s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with TLS cert %s and key %s", s.Name, s.Address, s.Config.CertFile, s.Config.KeyFile))
+		s.Logger.Info(fmt.Sprintf("%s service gRPC server listening at %s with TLS", s.Name, s.Address))
 	}
 
 	return tlsConfig, nil

From e707409242056679a3bcf4e73b422a6814779b4e Mon Sep 17 00:00:00 2001
From: Jilks Smith <smithjilks@gmail.com>
Date: Mon, 26 Aug 2024 22:24:32 +0300
Subject: [PATCH 4/7] Update connect.go and grpc.go

---
 internal/server/grpc/grpc.go | 35 +++++++++++++++++++++++++++++++++--
 pkg/clients/grpc/connect.go  | 12 +-----------
 2 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/internal/server/grpc/grpc.go b/internal/server/grpc/grpc.go
index b370d922..bf6a4674 100644
--- a/internal/server/grpc/grpc.go
+++ b/internal/server/grpc/grpc.go
@@ -92,7 +92,7 @@ func (s *Server) Start() error {
 	creds := grpc.Creds(insecure.NewCredentials())
 
 	switch {
-	case s.Config.AttestedTLS && s.Config.CertFile != "" && s.Config.KeyFile != "":
+	case s.Config.AttestedTLS && (s.Config.ClientCAFile != "" || s.Config.ServerCAFile != ""):
 		certificateBytes, privateKeyBytes, err := generateCertificatesForATLS(s.agent)
 		if err != nil {
 			return fmt.Errorf("failed to create certificate: %w", err)
@@ -103,7 +103,38 @@ func (s *Server) Start() error {
 			return fmt.Errorf("falied due to invalid key pair: %w", err)
 		}
 
-		tlsConfig, err := s.setupTLSConfig()
+		tlsConfig := &tls.Config{
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+			Certificates: []tls.Certificate{certificate},
+		}
+
+		rootCA, err := loadCertFile(s.Config.ServerCAFile)
+		if err != nil {
+			return fmt.Errorf("failed to load root ca file: %w", err)
+		}
+		if len(rootCA) > 0 {
+			if tlsConfig.RootCAs == nil {
+				tlsConfig.RootCAs = x509.NewCertPool()
+			}
+			if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCA) {
+				return fmt.Errorf("failed to append root ca to tls.Config")
+			}
+		}
+
+		// Loading Client CA File
+		clientCA, err := loadCertFile(s.Config.ClientCAFile)
+		if err != nil {
+			return fmt.Errorf("failed to load client ca file: %w", err)
+		}
+		if len(clientCA) > 0 {
+			if tlsConfig.ClientCAs == nil {
+				tlsConfig.ClientCAs = x509.NewCertPool()
+			}
+			if !tlsConfig.ClientCAs.AppendCertsFromPEM(clientCA) {
+				return fmt.Errorf("failed to append client ca to tls.Config")
+			}
+		}
+
 		if err != nil {
 			return err
 		}
diff --git a/pkg/clients/grpc/connect.go b/pkg/clients/grpc/connect.go
index 40f4ac16..16df5789 100644
--- a/pkg/clients/grpc/connect.go
+++ b/pkg/clients/grpc/connect.go
@@ -155,7 +155,7 @@ func connect(cfg Config) (*grpc.ClientConn, security, error) {
 		}
 
 		tlsConfig := &tls.Config{
-			InsecureSkipVerify:    true,
+			InsecureSkipVerify:    false,
 			VerifyPeerCertificate: verifyAttestationReportTLS,
 		}
 
@@ -170,16 +170,6 @@ func connect(cfg Config) (*grpc.ClientConn, security, error) {
 				return nil, secure, fmt.Errorf("failed to append root ca to tls.Config")
 			}
 			tlsConfig.RootCAs = capool
-			secure = withaTLS
-		}
-
-		// Loading mTLS certificates file
-		if cfg.ClientCert != "" || cfg.ClientKey != "" {
-			certificate, err := tls.LoadX509KeyPair(cfg.ClientCert, cfg.ClientKey)
-			if err != nil {
-				return nil, secure, fmt.Errorf("failed to client certificate and key %w", err)
-			}
-			tlsConfig.Certificates = []tls.Certificate{certificate}
 			secure = withmaTLS
 		}
 

From 9d20823cb3045d36860a245968ecb5ce47c0bcb5 Mon Sep 17 00:00:00 2001
From: Jilks Smith <smithjilks@gmail.com>
Date: Mon, 26 Aug 2024 22:27:46 +0300
Subject: [PATCH 5/7] Update go mod

---
 go.mod | 1 -
 1 file changed, 1 deletion(-)

diff --git a/go.mod b/go.mod
index 8edd74e8..d3644d10 100644
--- a/go.mod
+++ b/go.mod
@@ -49,7 +49,6 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/docker/docker v27.1.0+incompatible
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect

From 1d4547326d6b36d9a206b66523c08cd075d867cd Mon Sep 17 00:00:00 2001
From: Jilks Smith <smithjilks@gmail.com>
Date: Mon, 26 Aug 2024 22:31:51 +0300
Subject: [PATCH 6/7] Fix grpc.go

Signed-off-by: Jilks Smith <smithjilks@gmail.com>
---
 internal/server/grpc/grpc.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/server/grpc/grpc.go b/internal/server/grpc/grpc.go
index bf6a4674..a3ef4ff1 100644
--- a/internal/server/grpc/grpc.go
+++ b/internal/server/grpc/grpc.go
@@ -93,7 +93,7 @@ func (s *Server) Start() error {
 
 	switch {
 	case s.Config.AttestedTLS && (s.Config.ClientCAFile != "" || s.Config.ServerCAFile != ""):
-		certificateBytes, privateKeyBytes, err := generateCertificatesForATLS(s.agent)
+		certificateBytes, privateKeyBytes, err := generateCertificatesForATLS(s.quoteProvider)
 		if err != nil {
 			return fmt.Errorf("failed to create certificate: %w", err)
 		}

From e8cd004e184306f8261a09c09425f2c0830ec594 Mon Sep 17 00:00:00 2001
From: Jilks Smith <smithjilks@gmail.com>
Date: Tue, 3 Sep 2024 12:04:31 +0300
Subject: [PATCH 7/7] Update grpc.go

Signed-off-by: Jilks Smith <smithjilks@gmail.com>
---
 internal/server/grpc/grpc.go | 47 ++++++++++++++++++++----------------
 1 file changed, 26 insertions(+), 21 deletions(-)

diff --git a/internal/server/grpc/grpc.go b/internal/server/grpc/grpc.go
index a3ef4ff1..97f1e56c 100644
--- a/internal/server/grpc/grpc.go
+++ b/internal/server/grpc/grpc.go
@@ -18,6 +18,7 @@ import (
 	"math/big"
 	"net"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/google/go-sev-guest/client"
@@ -207,35 +208,39 @@ func (s *Server) Stop() error {
 }
 
 func loadCertFile(certFile string) ([]byte, error) {
-	if certFile != "" {
-		return os.ReadFile(certFile)
+	if len(certFile) < 1000 && !strings.Contains(certFile, "\n") {
+		data, err := os.ReadFile(certFile)
+		if err == nil {
+			return data, nil
+		}
 	}
-	return []byte{}, nil
+	return []byte(certFile), nil
 }
 
-func loadX509KeyPair(certfile, keyfile string) (tls.Certificate, error) {
+func loadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
 	var cert, key []byte
 	var err error
-	if _, err = os.Stat(certfile); err == nil {
-		cert, err = os.ReadFile(certfile)
-		if err != nil {
-			return tls.Certificate{}, err
+
+	readFileOrData := func(input string) ([]byte, error) {
+		if len(input) < 1000 && !strings.Contains(input, "\n") {
+			data, err := os.ReadFile(input)
+			if err == nil {
+				return data, nil
+			}
 		}
-	} else if os.IsNotExist(err) {
-		cert = []byte(certfile)
-	} else {
-		return tls.Certificate{}, err
+		return []byte(input), nil
 	}
-	if _, err := os.Stat(keyfile); err == nil {
-		key, err = os.ReadFile(keyfile)
-		if err != nil {
-			return tls.Certificate{}, err
-		}
-	} else if os.IsNotExist(err) {
-		key = []byte(keyfile)
-	} else {
-		return tls.Certificate{}, err
+
+	cert, err = readFileOrData(certFile)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to read cert: %v", err)
+	}
+
+	key, err = readFileOrData(keyFile)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to read key: %v", err)
 	}
+
 	return tls.X509KeyPair(cert, key)
 }