Clean up internal deprecated interface uses

Packages and tests should not use deprecated fields and functions, so
fix up some newly deprecated items.

The check.proto line wrap is an internal lint change.

kds/kds.go

@@ -539,6 +539,14 @@ type VCEKCert struct {
 	TCB         uint64
 }
 
+// VCEKCertProduct returns a VCEKCert with the product line set to productLine.
+func VCEKCertProduct(productLine string) VCEKCert {
+	return VCEKCert{
+		Product:     productLine, // TODO(Issue#114): Remove
+		ProductLine: productLine,
+	}
+}
+
 // VLEKCert represents the attestation report components represented in a KDS VLEK certificate
 // request URL.
 type VLEKCert struct {
@@ -787,23 +795,23 @@ func ProductName(product *pb.SevProduct) string {
 //
 // Deprecated: Use ParseProductLine
 func ParseProduct(productLine string) (pb.SevProduct_SevProductName, error) {
-	switch productLine {
-	case "Milan":
-		return pb.SevProduct_SEV_PRODUCT_MILAN, nil
-	case "Genoa":
-		return pb.SevProduct_SEV_PRODUCT_GENOA, nil
-	default:
-		return pb.SevProduct_SEV_PRODUCT_UNKNOWN, fmt.Errorf("unknown AMD SEV product: %q", productLine)
+	p, err := ParseProductLine(productLine)
+	if err != nil {
+		return pb.SevProduct_SEV_PRODUCT_UNKNOWN, nil
 	}
+	return p.Name, nil
 }
 
 // ParseProductLine returns the SevProductName for a product name without the stepping suffix.
 func ParseProductLine(productLine string) (*pb.SevProduct, error) {
-	name, err := ParseProduct(productLine)
-	if err != nil {
-		return nil, err
+	switch productLine {
+	case "Milan":
+		return &pb.SevProduct{Name: pb.SevProduct_SEV_PRODUCT_MILAN}, nil
+	case "Genoa":
+		return &pb.SevProduct{Name: pb.SevProduct_SEV_PRODUCT_GENOA}, nil
+	default:
+		return nil, fmt.Errorf("unknown AMD SEV product: %q", productLine)
 	}
-	return &pb.SevProduct{Name: name}, nil
 }
 
 // ParseProductName returns the KDS project input value, and the model, stepping numbers represented

kds/kds_test.go

@@ -140,7 +140,12 @@ func TestParseVCEKCertURL(t *testing.T) {
 		{
 			name: "happy path",
 			url:  VCEKCertURL("Milan", hwid, TCBVersion(0)),
-			want: VCEKCert{Product: "Milan", ProductLine: "Milan", HWID: hwid, TCB: 0},
+			want: func() VCEKCert {
+				c := VCEKCertProduct("Milan")
+				c.HWID = hwid
+				c.TCB = 0
+				return c
+			}(),
 		},
 		{
 			name:    "bad query format",

proto/check.proto

@@ -58,7 +58,8 @@ message Policy {
 // RootOfTrust represents configuration for which hardware root of trust
 // certificates to use for verifying attestation report signatures.
 message RootOfTrust {
-  // The expected AMD product the attestation was collected from. Default "Milan".
+  // The expected AMD product the attestation was collected from. Default
+  // "Milan".
   string product = 1 [deprecated = true];
 
   // Paths to CA bundles for the AMD product.

verify/verify.go

@@ -501,12 +501,10 @@ func decodeCerts(chain *spb.CertificateChain, key abi.ReportSigner, options *Opt
 		return nil, nil, err
 	}
 	if len(roots) == 0 {
-		root := &trust.AMDRootCerts{
-			Product: productLine,
-			// Require that the root matches embedded root certs.
-			AskSev: trust.DefaultRootCerts[productLine].AskSev,
-			ArkSev: trust.DefaultRootCerts[productLine].ArkSev,
-		}
+		root := trust.AMDRootCertsProduct(productLine)
+		// Require that the root matches embedded root certs.
+		root.AskSev = trust.DefaultRootCerts[productLine].AskSev
+		root.ArkSev = trust.DefaultRootCerts[productLine].ArkSev
 		if err := root.Decode(chain.GetAskCert(), chain.GetArkCert()); err != nil {
 			return nil, nil, err
 		}

verify/verify_test.go

@@ -79,14 +79,12 @@ func TestEmbeddedCertsAppendixB3Expectations(t *testing.T) {
 func TestFakeCertsKDSExpectations(t *testing.T) {
 	signMu.Do(initSigner)
 	trust.ClearProductCertCache()
-	root := &trust.AMDRootCerts{
-		Product: test.GetProductLine(),
-		ProductCerts: &trust.ProductCerts{
-			Ark: signer.Ark,
-			Ask: signer.Ask,
-		},
-		// No ArkSev or AskSev intentionally for test certs.
+	root := trust.AMDRootCertsProduct(test.GetProductLine())
+	root.ProductCerts = &trust.ProductCerts{
+		Ark: signer.Ark,
+		Ask: signer.Ask,
 	}
+	// No ArkSev or AskSev intentionally for test certs.
 	if err := validateArkX509(root); err != nil {
 		t.Errorf("fake ARK validation error: %v", err)
 	}
@@ -306,13 +304,14 @@ func TestKdsMetadataLogic(t *testing.T) {
 		// won't get tested.
 		options := &Options{
 			TrustedRoots: map[string][]*trust.AMDRootCerts{
-				test.GetProductLine(): {&trust.AMDRootCerts{
-					Product: test.GetProductLine(),
-					ProductCerts: &trust.ProductCerts{
+				test.GetProductLine(): {func() *trust.AMDRootCerts {
+					r := trust.AMDRootCertsProduct(test.GetProductLine())
+					r.ProductCerts = &trust.ProductCerts{
 						Ark: newSigner.Ark,
 						Ask: newSigner.Ask,
-					},
-				}},
+					}
+					return r
+				}()},
 			},
 			Now:     time.Date(1, time.January, 5, 0, 0, 0, 0, time.UTC),
 			Product: abi.DefaultSevProduct(),
@@ -374,12 +373,10 @@ func TestCRLRootValidity(t *testing.T) {
 		},
 		Number: big.NewInt(1),
 	}
-	root := &trust.AMDRootCerts{
-		Product: test.GetProductLine(),
-		ProductCerts: &trust.ProductCerts{
-			Ark: signer.Ark,
-			Ask: signer.Ask,
-		},
+	root := trust.AMDRootCertsProduct(test.GetProductLine())
+	root.ProductCerts = &trust.ProductCerts{
+		Ark: signer.Ark,
+		Ask: signer.Ask,
 	}
 
 	// Now try signing a CRL with a different root that certifies Vcek with a different serial number.
@@ -398,12 +395,10 @@ func TestCRLRootValidity(t *testing.T) {
 	}
 
 	// Finally try checking a VCEK that's signed by a revoked ASK.
-	root2 := &trust.AMDRootCerts{
-		Product: test.GetProductLine(),
-		ProductCerts: &trust.ProductCerts{
-			Ark: signer2.Ark,
-			Ask: signer2.Ask,
-		},
+	root2 := trust.AMDRootCertsProduct(test.GetProductLine())
+	root2.ProductCerts = &trust.ProductCerts{
+		Ark: signer2.Ark,
+		Ask: signer2.Ask,
 	}
 	wantErr2 := "ASK was revoked at 2022-06-14 12:01:00 +0000 UTC"
 	if err := VcekNotRevoked(root2, signer2.Vcek, &Options{Getter: g2}); !test.Match(err, wantErr2) {