fix: enable clearing the sgx_mrsigner and sgx_mrenclave field

Add the ability to clear the `sgx_mrsigner` and `sgx_mrenclave` field. Otherwise we cannot switch from `sgx_mrenclave` to `sgx_mrsigner` based authentication. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 07:43:57 +02:00 · 2024-02-27 11:55:56 +01:00 · 2024-02-27 11:55:56 +01:00 · 94c86df4d5
commit 94c86df4d5
parent 0f9a672c99
1 changed files with 12 additions and 8 deletions
--- a/path_tees.go
+++ b/path_tees.go
@ -249,19 +249,23 @@ func (b *backend) pathTeeWrite(ctx context.Context, req *logical.Request, d *fra
 }
 func handleSGXConfig(d *framework.FieldData, tee *TeeEntry) (*logical.Response, error) {
-	if sgxMrsignerRaw, ok := d.GetOk("sgx_mrsigner"); ok && sgxMrsignerRaw.(string) != "" {
+	if sgxMrsignerRaw, ok := d.GetOk("sgx_mrsigner"); ok {
 		tee.SgxMrsigner = strings.ToLower(sgxMrsignerRaw.(string))
-		b, err := hex.DecodeString(tee.SgxMrsigner)
+		if tee.SgxMrsigner != "" {
-		if err != nil || len(b) != 32 {
+			b, err := hex.DecodeString(tee.SgxMrsigner)
-			return logical.ErrorResponse("`sgx_mrsigner` must be 32 byte hex encoded"), nil
+			if err != nil || len(b) != 32 {
 				return logical.ErrorResponse("`sgx_mrsigner` must be 32 byte hex encoded"), nil
 			}
 		}
 	}
-	if sgxMrenclaveRaw, ok := d.GetOk("sgx_mrenclave"); ok && sgxMrenclaveRaw.(string) != "" {
+	if sgxMrenclaveRaw, ok := d.GetOk("sgx_mrenclave"); ok {
 		tee.SgxMrenclave = strings.ToLower(sgxMrenclaveRaw.(string))
-		b, err := hex.DecodeString(tee.SgxMrenclave)
+		if tee.SgxMrenclave != "" {
-		if err != nil || len(b) != 32 {
+			b, err := hex.DecodeString(tee.SgxMrenclave)
-			return logical.ErrorResponse("`sgx_mrenclave` must be 32 byte hex encoded"), nil
+			if err != nil || len(b) != 32 {
 				return logical.ErrorResponse("`sgx_mrenclave` must be 32 byte hex encoded"), nil
 			}
 		}
 	}