Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix hardware identity oid check logic. #16

Merged
merged 1 commit into from
Feb 2, 2024
Merged

fix hardware identity oid check logic. #16

merged 1 commit into from
Feb 2, 2024

Conversation

longlongyang
Copy link
Collaborator

fix #14

OuyangHang33
OuyangHang33 reviewed Jan 18, 2024
View reviewed changes
spdmlib/src/crypto/x509v3.rs Outdated
// IN (extension sequences slice, target oid)
// OUT true when find target oid
// OUT false when not find target oid
fn find_target_object_identifiers_in_extensions(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

find_target_object_identifiers can enter sequence slice or extnValue to find the target oid, so It's fine to keep using find_target_object_identifiers to search hardware oid, no need additional function to do the search work.

spdm-rs/spdmlib/src/crypto/x509v3.rs

Lines 461 to 463 in cb06559

} else if data[index] == ASN1_TAG_SEQUENCE || data[index] == ASN1_TAG_EXTN_VALUE {
index += 1 + bytes_consumed;
continue;

OuyangHang33
OuyangHang33 reviewed Jan 18, 2024
View reviewed changes
spdmlib/src/crypto/x509v3.rs Outdated
@@ -1223,7 +1283,7 @@ mod tests {
assert!(check_leaf_certificate(&end1, true).is_ok());
assert!(check_leaf_certificate(&end1, false).is_ok());
assert!(check_leaf_certificate(&end2, false).is_ok());
assert!(check_leaf_certificate(&end2, true).is_err());
assert!(check_leaf_certificate(&end2, true).is_ok());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

end2 contains hardware oid and alias cert shall not have hardware oid. Need return Err.

@longlongyang
Copy link
Collaborator Author

longlongyang commented Jan 22, 2024
edited
Loading

Synced with @OuyangHang33 and @xiaoyuxlu, we both agreed that:

  1. use another function to handle a whole extensions (sequence of extension).
  2. test case is designed well, no need to change the test case.

@longlongyang longlongyang marked this pull request as draft January 29, 2024 02:23
@longlongyang longlongyang marked this pull request as ready for review January 29, 2024 06:22
jyao1
jyao1 reviewed Jan 30, 2024
View reviewed changes
spdmlib/src/crypto/x509v3.rs Outdated
info!("Hardware identity OID shall not be present in alias cert!\n");
Err(SPDM_STATUS_VERIF_FAIL)
} else if !is_alias_cert_model
&& !find_target_object_identifiers(extension_data, OID_DMTF_SPDM_HARDWARE_IDENTITY)?
&& !find_hardware_object_identifiers_in_extensions(extension_data)?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why we change a generic function to a specific function?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why we change a generic function to a specific function?

Because, it is confusing for a generic function to find a target oid. RFC 5280 says

Extension  ::=  SEQUENCE  {
    extnID      OBJECT IDENTIFIER,
    critical    BOOLEAN DEFAULT FALSE,
    extnValue   OCTET STRING
                -- contains the DER encoding of an ASN.1 value
                -- corresponding to the extension type identified
                -- by extnID
        }

to find a target oid in extnValue need the context of extension type. So it is better to add some specific items in function name to indicate the context of extension type. In this PR, hardware_object_identifiers indicates this function works under SPDM context, to find a

id-DMTF-hardware-identity id-spdm-cert-oid :: = {
    spdmOID { id-DMTF-spdm 2 }
    spdmOIDdefinition ABSENT
}

it should be more precise.

@jyao1 jyao1 merged commit 3fb75da into ccc-spdm-tools:main Feb 2, 2024
47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OuyangHang33 OuyangHang33 OuyangHang33 left review comments

@jyao1 jyao1 jyao1 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The extension check logic is not correct.
3 participants
@longlongyang @jyao1 @OuyangHang33