Make libspdm_get_certificate_choose_length[_ex]() a public API #2909
Comments
|
The intent is that the entire certificate chain will be retrieved, regardless of the |
|
The length value used by libspdm_get_certificate_choose_length() is the number of bytes to request from the endpoint in the request. The endpoint can still respond with smaller values, and/or portions, which would then be iterated to build the entire certificate chain, it's only the SPDM GET_CERTIFICATE payload "length" that is different. |
|
Okay, then making those public is fine. There's a separate use case where the Requester does not want the whole certificate chain. In particular
But those can be a separate issue. |
|
How does the SPDM requester determine sizeof(RootCert) ? |
|
For authentication the Requester (or Verifier) needs to be pre-provisioned with root certificates so that they can be compared to the root certificate returned from the Responder. However the response may be truncated, as well as the specification allows the Responder to not return the root certificate for some reason. So it's not 100 % guaranteed to work. |
spdm_requester_lib.h currently exports two get_certificate functions:
libspdm_get_certificate() and libspdm_get_certificate_ex()
Neither accept a desired length. There are functions which accept a length parameter, namely:
libspdm_get_certificate_choose_length() and libspdm_get_certificate_choose_length_ex()
however these functions are "internal" and not exported.
I have now found two different SPDM responders which require specific length fields - one is an early SPDM version that requires the use of 0xFFFF to get the entire certificate, and the other which requires GET_CERTIFICATE calls to have a length less than LIBSPDM_MAX_CERT_CHAIN_BLOCK_LEN (1024)
To support these responders, libspdm should move the libspdm_get_certificate_choose_length_ex API functions from
include/internal/libspdm_requester_lib.h
to
include/library/spdm_requester_lib.h
The text was updated successfully, but these errors were encountered: