Skip to content

Commit

Permalink
tpm: check if EK certificate has valid ASN.1 DER encoding
Browse files Browse the repository at this point in the history
Further this removes padding found on some TPMs in the NV indices.
If this is not valid, we still use it, but output a warning.

Signed-off-by: Thore Sommer <[email protected]>
  • Loading branch information
THS-on committed Sep 25, 2024
1 parent 56a6159 commit 02983c5
Showing 1 changed file with 19 additions and 1 deletion.
20 changes: 19 additions & 1 deletion keylime/src/tpm.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ use crate::algorithms::{
use base64::{engine::general_purpose, Engine as _};
use log::*;
use std::convert::{TryFrom, TryInto};
use std::io::Read;
use std::str::FromStr;
use thiserror::Error;

Expand Down Expand Up @@ -338,6 +339,10 @@ pub enum TpmError {
#[error("Error finishing Hasher")]
OpenSSLHasherFinish { source: openssl::error::ErrorStack },

/// Generic catch-all error
#[error("EK certificate parsing error")]
EKCertParsing(#[from] picky_asn1_der::Asn1DerError),

/// Number conversion error
#[error("Error converting number")]
TryFromInt(#[from] std::num::TryFromIntError),
Expand Down Expand Up @@ -490,6 +495,13 @@ impl Context {
})
}

// Tries to parse the EK certificate and re-encodes it to remove potential padding
fn check_ek_cert(&mut self, cert: &[u8]) -> Result<Vec<u8>> {
let parsed_cert: picky_asn1_der::Asn1RawDer =
picky_asn1_der::from_bytes(cert)?;
Ok(picky_asn1_der::to_vec(&parsed_cert)?)
}

/// Creates an EK, returns the key handle and public certificate
/// in `EKResult`.
///
Expand Down Expand Up @@ -551,7 +563,13 @@ impl Context {
};
let cert = match ek::retrieve_ek_pubcert(&mut self.inner, alg.into())
{
Ok(v) => Some(v),
Ok(cert) => match self.check_ek_cert(&cert) {
Ok(cert_checked) => Some(cert_checked),
Err(_) => {
warn!("EK certificate in TPM NVRAM is not ASN.1 DER encoded");
Some(cert)

Check warning on line 570 in keylime/src/tpm.rs

View check run for this annotation

Codecov / codecov/patch

keylime/src/tpm.rs#L569-L570

Added lines #L569 - L570 were not covered by tests
}
},
Err(_) => {
warn!("No EK certificate found in TPM NVRAM");
None
Expand Down

0 comments on commit 02983c5

Please sign in to comment.