Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accomodate pathLen when checking certificate #2853

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Accomodate pathLen when checking certificate #2853

wants to merge 1 commit into from
+16 −10

Conversation

steven-bellock
Copy link
Contributor

Fix #2831.

Signed-off-by: Steven Bellock [email protected]

@steven-bellock steven-bellock added the bug Something isn't working label Sep 30, 2024
@steven-bellock steven-bellock marked this pull request as ready for review September 30, 2024 19:02
@steven-bellock
Copy link
Contributor Author

@rw8896 as well.

@jyao1
Copy link
Member

jyao1 commented Oct 1, 2024

Question: How the logic is tested?

jyao1
jyao1 reviewed Oct 1, 2024
View reviewed changes
library/spdm_crypt_lib/libspdm_crypt_cert.c Outdated
/* basic_constraints from certificate. */
uint8_t cert_basic_constraints[LIBSPDM_MAX_BASIC_CONSTRAINTS_CA_LEN];
/* basic_constraints from certificate. Add space for pathLen. */
uint8_t cert_basic_constraints[LIBSPDM_MAX_BASIC_CONSTRAINTS_CA_LEN + 10];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How 10 is calculated? Is that enough?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both mbedtls and openssl seem to provide APIs to check if CA is true.
https://docs.openssl.org/3.0/man3/X509_check_ca/#copyright
https://github.com/Mbed-TLS/mbedtls/blob/development/include/mbedtls/x509_crt.h#L920

Maybe we could invent another libspdm_x509 API to return if CA is true instead of parsing the basic constraints raw bytes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How 10 is calculated? Is that enough?

It's probably more than enough, but let me check what the largest ASN.1 DER integer size is. I'll make a macro for it too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both mbedtls and openssl seem to provide APIs to check if CA is true. https://docs.openssl.org/3.0/man3/X509_check_ca/#copyright https://github.com/Mbed-TLS/mbedtls/blob/development/include/mbedtls/x509_crt.h#L920

Maybe we could invent another libspdm_x509 API to return if CA is true instead of parsing the basic constraints raw bytes?

The benefit of having the logic in libspdm/library is that the Integrator doesn't need to provide new functions / functionality as the SPDM specification adds or removes certificate fields. But yes, maybe for libspdm 4.0 we could have a basic certificate parsing interface where the Integrator / cryptography library handles most of the logic, but then also have a catch-all interface where the Integrator provides the raw ASN.1 DER to libspdm.

@steven-bellock
Copy link
Contributor Author

Question: How the logic is tested?

Assuming LIBSPDM_CERT_PARSE_SUPPORT is enabled then

libspdm/unit_test/test_spdm_responder/set_certificate_rsp.c

Lines 543 to 547 in 525ba87

/**
* Test 7: receives a valid SET_CERTIFICATE request message from Requester to set cert in slot_id:0 with alias_cert model
* Expected Behavior: produces a valid SET_CERTIFICATE_RSP response message
**/
void libspdm_test_responder_set_cetificate_rsp_case7(void **state)
will exercise the logic, as shown in https://dmtf.github.io/libspdm/coverage_log/library/spdm_crypt_lib/libspdm_crypt_cert.c.gcov.html#853.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jyao1 jyao1 jyao1 left review comments

@rw8896 rw8896 rw8896 left review comments

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set Cert: should not check BasicConstraint CA: True with hardcoded value
3 participants
@steven-bellock @jyao1 @rw8896