Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tpm: check if EK certificate has valid ASN.1 DER encoding #845

Merged
merged 1 commit into from
Oct 14, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion keylime/src/tpm.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
use base64::{engine::general_purpose, Engine as _};
use log::*;
use std::convert::{TryFrom, TryInto};
use std::io::Read;
use std::str::FromStr;
use thiserror::Error;

Expand Down Expand Up @@ -338,6 +339,10 @@
#[error("Error finishing Hasher")]
OpenSSLHasherFinish { source: openssl::error::ErrorStack },

/// Error when trying to decode the EK certificate
#[error("EK certificate parsing error")]
EKCertParsing(#[from] picky_asn1_der::Asn1DerError),

/// Number conversion error
#[error("Error converting number")]
TryFromInt(#[from] std::num::TryFromIntError),
Expand Down Expand Up @@ -490,6 +495,13 @@
})
}

// Tries to parse the EK certificate and re-encodes it to remove potential padding
fn check_ek_cert(&mut self, cert: &[u8]) -> Result<Vec<u8>> {
let parsed_cert: picky_asn1_der::Asn1RawDer =
picky_asn1_der::from_bytes(cert)?;
Ok(picky_asn1_der::to_vec(&parsed_cert)?)
}

/// Creates an EK, returns the key handle and public certificate
/// in `EKResult`.
///
Expand Down Expand Up @@ -551,7 +563,13 @@
};
let cert = match ek::retrieve_ek_pubcert(&mut self.inner, alg.into())
{
Ok(v) => Some(v),
Ok(cert) => match self.check_ek_cert(&cert) {
Ok(cert_checked) => Some(cert_checked),
Err(_) => {
warn!("EK certificate in TPM NVRAM is not ASN.1 DER encoded");
Some(cert)

Check warning on line 570 in keylime/src/tpm.rs

View check run for this annotation

Codecov / codecov/patch

keylime/src/tpm.rs#L569-L570

Added lines #L569 - L570 were not covered by tests
}
},
Err(_) => {
warn!("No EK certificate found in TPM NVRAM");
None
Expand Down