libspdm icon indicating copy to clipboard operation
libspdm copied to clipboard
verified publisher icon DMTF

crypt_lib: allow partial certchain verification

Open twilfredo opened this issue 2 years ago • 4 comments

This is a continuation of #2369

Issue

Currently when a certificate chain is validated, it is required that the certificate chain is a complete certificate chain. That is, it contains an end-entify/leaf certificate at the end. The certificate validation takes place in libspdm_verify_cert_chain_data(). Although this makes sense for most use cases, we can't use this functions to validate a chain that is valid but is only partial (no leaf).

An example of such a case maybe, when a libspdm based requester is loading an immutable certificate (RootCA->...->DeviceCA only, no leaf) chain prior to a SET_CERTIFICATE request (AliasCertificate Model). Before sending the chain over to the responder, if the requester tries to validate the certificate chain locally using libspdm_verify_cert_chain_data(), it will fail (rightfully) during the leaf check. Which means in the case above, we can't use libspdm_verify_cert_chain_data() in it's current state.

Proposed Change

A small modification could be made to libspdm_verify_cert_chain_data() skip the leaf check for such a case. See https://github.com/DMTF/libspdm/pull/2369 for proposed changes.

Misc

Is there a better way to address the case above?

twilfredo avatar Sep 24 '23 22:09 twilfredo

Validation of the SET_CERTIFICATE certificate chain currently bypasses spdm_crypt_lib and goes straight to crypt_lib : https://github.com/DMTF/libspdm/blob/137b6f7056be9df0295165bf1a30517814dfc5ad/library/spdm_responder_lib/libspdm_rsp_set_certificate.c#L13 If you'd like to bring that to spdm_crypt_lib it should probably be a new libspdm_verify_cert_chain_data_ex function.

steven-bellock avatar Sep 25 '23 15:09 steven-bellock

I was referring the validation of the certificate chain on the requester (locally) before even the libspdm_set_certificate(). So we don't even bother sending something that isn't valid to the responder.

Starting at reading the cert chain file (on a requester device), then calling libspdm_verify_cert_chain_data() to verify things locally first (currently fail here), if OK, only then invoke libspdm_set_certificate().

Could that be in the form of a new function (in libspdm_crypt_cert.c) as mentioned here: https://github.com/DMTF/libspdm/pull/2369#issuecomment-1733766041 ?

twilfredo avatar Sep 25 '23 22:09 twilfredo

Could that be in the form of a new function (in libspdm_crypt_cert.c) as mentioned here: https://github.com/DMTF/libspdm/pull/2369#issuecomment-1733766041 ?

Yes, libspdm_verify_cert_chain_data_ex. And then the API documentation for libspdm_set_certificate can include checking the certificate chain as a recommendation. In addition the Responder can take advantage of the new function and use it as well, instead of bypassing spdm_crypt_lib.

steven-bellock avatar Sep 25 '23 23:09 steven-bellock

https://github.com/DMTF/libspdm/issues/2505 is fixed. What do we do for this issue?

jyao1 avatar Feb 29 '24 10:02 jyao1