Skip to content

Commit

Permalink
Fix all cert lint errors
Browse files Browse the repository at this point in the history
1. Truncate SerialNumber to 64 bits
2. Count unused bits in KeyUsage
3. Add SubjectKeyIdentifier extension
4. Add AuthorityKeyIdentifier extension
5. Make cert lint errors/warns fatal in CI
6. Update caliptra-cfi revision

fixes #74
  • Loading branch information
sree-revoori1 committed Feb 28, 2024
1 parent 29d5ca3 commit 84d705a
Show file tree
Hide file tree
Showing 8 changed files with 459 additions and 47 deletions.
4 changes: 2 additions & 2 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ members = [
]

[workspace.dependencies]
caliptra-cfi-lib-git = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-lib-git", rev = "9f315fcf11fe006e95e62149f54f98620e5244e7", default-features = false, features = ["cfi", "cfi-counter" ] }
caliptra-cfi-derive-git = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-derive-git", rev = "9f315fcf11fe006e95e62149f54f98620e5244e7"}
caliptra-cfi-lib-git = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-lib-git", rev = "a98e499d279e81ae85881991b1e9eee354151189", default-features = false, features = ["cfi", "cfi-counter" ] }
caliptra-cfi-derive-git = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-derive-git", rev = "a98e499d279e81ae85881991b1e9eee354151189"}
zerocopy = "0.6.6"
openssl = "0.10.64"
openssl = "0.10.64"
4 changes: 2 additions & 2 deletions dpe/fuzz/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

31 changes: 26 additions & 5 deletions dpe/src/commands/certify_key.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ use caliptra_cfi_lib_git::cfi_launder;
#[cfg(not(feature = "no-cfi"))]
use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq};
use cfg_if::cfg_if;
use crypto::Crypto;
use platform::{Platform, MAX_ISSUER_NAME_SIZE};
use crypto::{Crypto, Hasher};
use platform::{Platform, MAX_ISSUER_NAME_SIZE, MAX_SKI_SIZE};

#[repr(C)]
#[derive(Debug, PartialEq, Eq, zerocopy::FromBytes, zerocopy::AsBytes)]
Expand Down Expand Up @@ -109,10 +109,12 @@ impl CommandExecution for CertifyKeyCmd {
let mut subj_serial = [0u8; DPE_PROFILE.get_hash_size() * 2];
env.crypto
.get_pubkey_serial(DPE_PROFILE.alg_len(), &pub_key, &mut subj_serial)?;
// The serial number of the subject can be at most 64 bytes
let truncated_subj_serial = &subj_serial[..64];

let subject_name = Name {
cn: DirectoryString::PrintableString(b"DPE Leaf"),
serial: DirectoryString::PrintableString(&subj_serial),
serial: DirectoryString::PrintableString(truncated_subj_serial),
};

// Get TCI Nodes
Expand All @@ -122,11 +124,26 @@ impl CommandExecution for CertifyKeyCmd {
if tcb_count > MAX_HANDLES {
return Err(DpeErrorCode::InternalError);
}

let mut key_identifier = [0u8; MAX_SKI_SIZE];
// compute key identifier as SHA-256 hash of the DER encoded subject public key
let mut hasher = env.crypto.hash_initialize(crypto::AlgLen::Bit256)?;
hasher.update(&[0x04])?;
hasher.update(pub_key.x.bytes())?;
hasher.update(pub_key.y.bytes())?;
let hashed_pub_key = hasher.finish()?;
if hashed_pub_key.len() < MAX_SKI_SIZE {
return Err(DpeErrorCode::InternalError);
}
// truncate key identifier to 20 bytes
key_identifier.copy_from_slice(&hashed_pub_key.bytes()[..MAX_SKI_SIZE]);

let measurements = MeasurementData {
label: &self.label,
tci_nodes: &nodes[..tcb_count],
is_ca: self.uses_is_ca(),
supports_recursive: dpe.support.recursive(),
key_identifier,
};

let mut issuer_name = [0u8; MAX_ISSUER_NAME_SIZE];
Expand Down Expand Up @@ -269,7 +286,7 @@ mod tests {
};
use platform::default::DefaultPlatform;
use spki::ObjectIdentifier;
use std::str;
use std::{fs::File, io::Write, str};
use x509_parser::nom::Parser;
use x509_parser::oid_registry::asn1_rs::oid;
use x509_parser::prelude::public_key::PublicKey;
Expand Down Expand Up @@ -371,6 +388,9 @@ mod tests {
};

let mut parser = X509CertificateParser::new().with_deep_parse_extensions(true);
let mut file = File::create("certificate.der").unwrap();
file.write_all(&certify_resp_ca.cert[..certify_resp_ca.cert_size.try_into().unwrap()])
.unwrap();
match parser.parse(&certify_resp_ca.cert[..certify_resp_ca.cert_size.try_into().unwrap()]) {
Ok((_, cert)) => match cert.basic_constraints() {
Ok(Some(basic_constraints)) => {
Expand Down Expand Up @@ -577,9 +597,10 @@ mod tests {
env.crypto
.get_pubkey_serial(DPE_PROFILE.alg_len(), &pub_key, &mut subj_serial)
.unwrap();
let truncated_subj_serial = &subj_serial[..64];
let subject_name = Name {
cn: DirectoryString::PrintableString(b"DPE Leaf"),
serial: DirectoryString::PrintableString(&subj_serial),
serial: DirectoryString::PrintableString(truncated_subj_serial),
};
let expected_subject_name = format!(
"CN={}, serialNumber={}",
Expand Down
Loading

0 comments on commit 84d705a

Please sign in to comment.