Skip to content

Commit

Permalink
fix hardware identity oid check logic.
Browse files Browse the repository at this point in the history
fix #14

Signed-off-by: Yang, Longlong <[email protected]>
  • Loading branch information
longlongyang committed Jan 15, 2024
1 parent cb06559 commit b5e5dca
Showing 1 changed file with 62 additions and 2 deletions.
64 changes: 62 additions & 2 deletions spdmlib/src/crypto/x509v3.rs
Original file line number Diff line number Diff line change
Expand Up @@ -470,6 +470,60 @@ fn find_target_object_identifiers(data: &[u8], target_oid: &[u8]) -> SpdmResult<
Ok(target_oid_find_success)
}

// IN (extension sequences slice, target oid)
// OUT true when find target oid
// OUT false when not find target oid
fn find_target_object_identifiers_in_extensions(
data: &[u8],
target_oid: &[u8],
) -> SpdmResult<bool> {
let len = data.len();
let mut walker = 0usize;
if walker >= len {
return Err(SPDM_STATUS_VERIF_FAIL);
}

check_tag_is_sequence(data)?;
walker += 1;
if walker >= len {
return Err(SPDM_STATUS_VERIF_FAIL);
}

let (payload_length, bytes_consumed) = check_length(&data[walker..])?;
walker += bytes_consumed;
if walker >= len {
return Err(SPDM_STATUS_VERIF_FAIL);
}

let data = &data[walker..walker + payload_length];
let len = payload_length;
let target_len = target_oid.len();
walker = 0;
while walker < len {
check_tag_is_sequence(data)?;
walker += 1;
if walker >= len {
return Err(SPDM_STATUS_VERIF_FAIL);
}

let (payload_length, bytes_consumed) = check_length(&data[walker..])?;
walker += bytes_consumed;
if walker >= len {
return Err(SPDM_STATUS_VERIF_FAIL);
}

if bytes_consumed > target_len
&& object_identifiers_are_same(&data[walker..walker + target_len], target_oid)
{
return Ok(true);
}

walker += payload_length;
}

Ok(false)
}

// IN extension sequence slice
// OUT Ok (extnID, extn sequence length)
// OUT Error not found extnID, verify fail
Expand Down Expand Up @@ -693,12 +747,18 @@ pub fn check_leaf_certificate(cert: &[u8], is_alias_cert_model: bool) -> SpdmRes
let (_, extension_data) = check_and_get_extensions(&data[t_walker..])?;

if is_alias_cert_model
&& find_target_object_identifiers(extension_data, OID_DMTF_SPDM_HARDWARE_IDENTITY)?
&& find_target_object_identifiers_in_extensions(
extension_data,
OID_DMTF_SPDM_HARDWARE_IDENTITY,
)?
{
info!("Hardware identity OID shall not be present in alias cert!\n");
Err(SPDM_STATUS_VERIF_FAIL)
} else if !is_alias_cert_model
&& !find_target_object_identifiers(extension_data, OID_DMTF_SPDM_HARDWARE_IDENTITY)?
&& !find_target_object_identifiers_in_extensions(
extension_data,
OID_DMTF_SPDM_HARDWARE_IDENTITY,
)?
{
info!("Hardware identity OID should be present in device cert!\n");
Ok(())
Expand Down

0 comments on commit b5e5dca

Please sign in to comment.