From 93a13aa85238989cd7cd80d47bf66094ca81f764 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <dw@edgeless.systems>
Date: Mon, 2 Sep 2024 16:36:50 +0200
Subject: [PATCH] Dont sign quotes including added OE header
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---
 coordinator/clientapi/clientapi.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/coordinator/clientapi/clientapi.go b/coordinator/clientapi/clientapi.go
index 05c2d6ea..9689f5d1 100644
--- a/coordinator/clientapi/clientapi.go
+++ b/coordinator/clientapi/clientapi.go
@@ -785,12 +785,13 @@ func (a *ClientAPI) verifyAndSignQuote(
 ) (signature []byte, tcbStatus string, err error) {
 	// Add OE quote header if it is not present
 	// e.g. we are dealing with a raw SGX quote generated by Gramine or Occlum
+	oeQuote := quote
 	if util.IsRawSGXQuote(quote) {
-		quote = util.AddOEQuoteHeader(quote)
+		oeQuote = util.AddOEQuoteHeader(quote)
 	}
 
 	// Verify the quote
-	report, err := verify(quote)
+	report, err := verify(oeQuote)
 	if err != nil && !errors.Is(err, attestation.ErrTCBLevelInvalid) {
 		return nil, "", &QuoteVerifyError{err}
 	}