ibmse: add debug_assertions for debug and release branch

Signed-off-by: Qi Feng Huo <[email protected]>
confidential-containers · Jun 14, 2024 · e15b047 · e15b047
1 parent fb96ea1
commit e15b047
Showing 1 changed file with 17 additions and 10 deletions.
diff --git a/attestation-service/verifier/src/se/ibmse.rs b/attestation-service/verifier/src/se/ibmse.rs
@@ -38,8 +38,6 @@ const DEFAULT_SE_MEASUREMENT_ENCR_KEY_PRIVATE: &str =
 const DEFAULT_SE_MEASUREMENT_ENCR_KEY_PUBLIC: &str =
     "/run/confidential-containers/ibmse/rsa/encrypt_key.pub";
 
-const DEFAULT_SE_SKIP_CERTS_VERIFICATION: &str = "false";
-
 macro_rules! env_or_default {
     ($env:literal, $default:ident) => {
         match env::var($env) {
@@ -255,11 +253,6 @@ impl SeVerifierImpl {
             DEFAULT_SE_HOST_KEY_DOCUMENTS_ROOT
         );
         let hkds = list_files_in_folder(&hkds_root)?;
-        let skip_certs_env = env_or_default!(
-            "SE_SKIP_CERTS_VERIFICATION",
-            DEFAULT_SE_SKIP_CERTS_VERIFICATION
-        );
-        let skip_certs: bool = skip_certs_env.parse::<bool>().unwrap_or(false);
         for hkd in &hkds {
             let hk = std::fs::read(hkd).context("read host-key document")?;
             let certs = read_certs(&hk)?;
@@ -272,9 +265,23 @@ impl SeVerifierImpl {
             let c = certs
                 .first()
                 .ok_or(anyhow!("File does not contain a X509 certificate"))?;
-            if skip_certs {
-                warn!("SE_SKIP_CERTS_VERIFICATION set '{skip_certs}' never use it in production!")
-            } else {
+            #[cfg(debug_assertions)]
+            {
+                const DEFAULT_SE_SKIP_CERTS_VERIFICATION: &str = "false";
+                let skip_certs_env = env_or_default!(
+                    "SE_SKIP_CERTS_VERIFICATION",
+                    DEFAULT_SE_SKIP_CERTS_VERIFICATION
+                );
+                let skip_certs: bool = skip_certs_env.parse::<bool>().unwrap_or(false);
+                if skip_certs {
+                    warn!("SE_SKIP_CERTS_VERIFICATION set '{skip_certs}' never use it in production!")
+                } else {
+                    let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?;
+                    verifier.verify(c)?;
+                }
+            }
+            #[cfg(not(debug_assertions))]
+            {
                 let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?;
                 verifier.verify(c)?;
             }