certs: Fixup id-spdm-cert-oid SEQUENCE

Following the discussion in libspdm [1] we are incorrectly missing a second SEQUENCE tag when generating the id-spdm-cert-oids. This commit fixes it so we are compliant with the libspdm tests. 1: DMTF/libspdm#2325 (comment) Signed-off-by: Alistair Francis <[email protected]>
westerndigitalcorporation · Mar 13, 2024 · dfe5a61 · dfe5a61
1 parent 86e0ab5
commit dfe5a61
Show file tree

Hide file tree

Showing 17 changed files with 58 additions and 50 deletions.
diff --git a/certs/openssl.cnf b/certs/openssl.cnf
@@ -1,5 +1,3 @@
-### REF: https://www.openssl.org/docs/man1.1.1/man3/ASN1_generate_nconf.html
-
 [ device_ca ]
 basicConstraints = CA:true
 keyUsage = cRLSign, keyCertSign, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
@@ -14,6 +12,9 @@ extendedKeyUsage = critical, serverAuth, clientAuth, OCSPSigning
 2.23.133.5.4.100.8 = ASN1:NULL # tcg-dice-kp-attestInit
 
 [ device_ca_spdm_cert_oids ]
+id-spdm-cert-oid = SEQUENCE:device_ca_spdm_cert_hardware_identity_oid
+
+[ device_ca_spdm_cert_hardware_identity_oid ]
 id-DMTF-hardware-identity = OID:1.3.6.1.4.1.412.274.2
 
 [ alias_ca ]
@@ -30,6 +31,9 @@ extendedKeyUsage = critical, serverAuth, clientAuth, OCSPSigning
 2.23.133.5.4.100.11 = ASN1:NULL # tcg-dice-kp-assertLoc
 
 [ alias_ca_spdm_cert_oids ]
+id-spdm-cert-oid = SEQUENCE:alias_ca_spdm_cert_mutable_oid
+
+[ alias_ca_spdm_cert_mutable_oid ]
 id-DMTF-mutable-certificate = OID:1.3.6.1.4.1.412.274.5
 
 [ leaf ]
@@ -48,4 +52,7 @@ extendedKeyUsage = critical, serverAuth, clientAuth, OCSPSigning, 1.3.6.1.4.1.41
 2.23.133.5.4.100.11 = ASN1:NULL # tcg-dice-kp-assertLoc
 
 [ leaf_spdm_cert_oids ]
+id-spdm-cert-oid = SEQUENCE:leaf_spdm_cert_mutabl_oid
+
+[ leaf_spdm_cert_mutabl_oid ]
 id-DMTF-mutable-certificate = OID:1.3.6.1.4.1.412.274.5
diff --git a/certs/slot0/ca.cert b/certs/slot0/ca.cert
@@ -1,12 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBtTCCATygAwIBAgIUHHzm254eX1FdkMgO7Yv0ro8oERYwCgYIKoZIzj0EAwMw
-EjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yNDAyMjkwMzAwNDFaFw0zNDAyMjYwMzAw
-NDFaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARb
-M9WEPtGaFsHQnhpkAO2vBErfRW7D59ItMABEgy1h64XztpcIBAZ+ue1PYA51UKvJ
-iugUvFjm1Yoa/m33FnINuSUo3VmR1Eg1KA4+gcGIrYRkdAIQ2BNR9i+OJh9SVDaj
-UzBRMB0GA1UdDgQWBBTA/APZGgxdhPBSAtbKtD8PRd1aZzAfBgNVHSMEGDAWgBTA
-/APZGgxdhPBSAtbKtD8PRd1aZzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMD
-A2cAMGQCMB3W1Jw0GJFSDIqdg97FOePsJdwrmR1hjXZV+pNURBT7BVJeV631kBZ2
-VphljPFUfQIwEONtJYyCtLy2r1xn2ELs/N5/UNDq/7BsJugSy4S8xdz8qOtZAET1
-lthtFq5OvYgD
+MIIBtjCCATygAwIBAgIUb1sjyAnlHy55wptv7sT1StHBX9EwCgYIKoZIzj0EAwMw
+EjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yNDAzMDgwMzM0MzFaFw0zNDAzMDYwMzM0
+MzFaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARL
+D9toR9XDGiqLflxqNYsq4oUfYx+QUYxrTQ5KNIStTk1r08Lz9cWNNTWMHbE7vPDN
+ruaPEVpAsZYG4AtAOTVogHH5zd9iq90hZOdiyPJ1dnxRHKSnRaun84byAA+cPmWj
+UzBRMB0GA1UdDgQWBBTE/XXyaypBglRd5QMisc9Cf/+EyDAfBgNVHSMEGDAWgBTE
+/XXyaypBglRd5QMisc9Cf/+EyDAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMD
+A2gAMGUCMQDYgKWqOErRRBwn+aRIw5H6gQof41p9W3RD7R4ihnaf8AF67MEYCL9P
+HSdnI7y9GjMCMBnBaiJmX7NIp8f5J3O2mUv/UO7Pt/QenxvgJ701GV2r8Mmrm4TE
+O1QoyF88EKC28g==
 -----END CERTIFICATE-----
diff --git a/certs/slot0/ca.cert.der b/certs/slot0/ca.cert.der
diff --git a/certs/slot0/ca.key b/certs/slot0/ca.key
@@ -1,6 +1,6 @@
 -----BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBFO2tI6Ik0bOOMBUMF
-uDu10IXrU3ot0UUU9cGqoxjPICXKB9F7IeRxjU23rXPXipahZANiAARbM9WEPtGa
-FsHQnhpkAO2vBErfRW7D59ItMABEgy1h64XztpcIBAZ+ue1PYA51UKvJiugUvFjm
-1Yoa/m33FnINuSUo3VmR1Eg1KA4+gcGIrYRkdAIQ2BNR9i+OJh9SVDY=
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDUi3Ws2sH4r8Fs0xdS
+6WmH9fWcZIL5rCvdKzc9W0Vru+vw5pyLfzNivC0dt/2IsJChZANiAARLD9toR9XD
+GiqLflxqNYsq4oUfYx+QUYxrTQ5KNIStTk1r08Lz9cWNNTWMHbE7vPDNruaPEVpA
+sZYG4AtAOTVogHH5zd9iq90hZOdiyPJ1dnxRHKSnRaun84byAA+cPmU=
 -----END PRIVATE KEY-----
diff --git a/certs/slot0/device.cert.der b/certs/slot0/device.cert.der
diff --git a/certs/slot0/device.der b/certs/slot0/device.der
diff --git a/certs/slot0/device.key b/certs/slot0/device.key
@@ -1,6 +1,6 @@
 -----BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCsK1BEpkVVF4HYozE/
-HsdoXkIRjE06MD68/MCn90Nhc1o4NpV7b7TfDbbO51bzdWWhZANiAATfQstwlynj
-R87v1GYSE8mb/gNqoDTraoBJw4VXDWIj0m9EPKE3sOuVilPAsg5kXvF8xSE6r3Ra
-rgd0m8fWhqVT/xAvyGvJwIdW/wBz7An+BWBNLdRMLH0t0LjyL4JO0SU=
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCI4TDp/s/DchCsurb2
+DU9xr0Leoyx3G4EXG68VSbS7/I7hKNxxJloITFbPhM6arTChZANiAAStL+PDvUOv
+ZdMnZTV6SY8wmsigVyoV2qVL1SVVIEGYvaKXv5+g87NYSWHJylnyGc84d78KHfKr
+q2kgl1VKIbminqCbG+hXZBQ1ksRPa8ev2Cziz7l9W1kKHlbtMwMbbxc=
 -----END PRIVATE KEY-----
diff --git a/certs/slot0/device.key.der b/certs/slot0/device.key.der
diff --git a/certs/slot0/device.req b/certs/slot0/device.req
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIIBETCBmAIBADAZMRcwFQYDVQQDDA5UZXN0IERldmljZSBDQTB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABN9Cy3CXKeNHzu/UZhITyZv+A2qgNOtqgEnDhVcNYiPSb0Q8
-oTew65WKU8CyDmRe8XzFITqvdFquB3Sbx9aGpVP/EC/Ia8nAh1b/AHPsCf4FYE0t
-1EwsfS3QuPIvgk7RJaAAMAoGCCqGSM49BAMDA2gAMGUCMA2lRYq1lrUdzG3Be7ci
-GN9JiH9h8KLGR8rbCoFFN5iPv1t6A+ze+RfBloqrTnUuuwIxANHUs0eWxLtjMbB9
-y4OMTG+Gqg4v1u3GgO8YV+qxgdyulAEX7vxB08nj0sr9BtCyxA==
+AgEGBSuBBAAiA2IABK0v48O9Q69l0ydlNXpJjzCayKBXKhXapUvVJVUgQZi9ope/
+n6Dzs1hJYcnKWfIZzzh3vwod8quraSCXVUohuaKeoJsb6FdkFDWSxE9rx6/YLOLP
+uX1bWQoeVu0zAxtvF6AAMAoGCCqGSM49BAMDA2gAMGUCMCvXttCiqs7eQ8eHU+xi
+dLkFYbRuezXuHze2x18MCN63e/eQPzAa/aN+X6BZqsZ/3gIxAIC6MaJ7lKjjxiea
+NhG1oRPDuA4XzNXdN8flcg1BaXeccGlPFI9QGMwjUII6E+txjQ==
 -----END CERTIFICATE REQUEST-----
diff --git a/certs/slot0/immutable.der b/certs/slot0/immutable.der
diff --git a/certs/slot0/inter.cert b/certs/slot0/inter.cert
@@ -1,15 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIICQjCCAcigAwIBAgIBATAKBggqhkjOPQQDAzASMRAwDgYDVQQDDAdUZXN0IENB
-MB4XDTI0MDIyOTAzMDA0MVoXDTM0MDIyNjAzMDA0MVowHzEdMBsGA1UEAwwUVGVz
-dCBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATRUns0bJWR
-kFVOX2Jwx8G0fL/5DRX7eChgP69gE01HIBTTNjYKb7rUjZt6EIRxFeY462uufGZR
-lJvZt/Cv1utdGSBX3WYk1wM/4pUvnG1W2T7cPCwa5LSg7XwxWkTnAuKjgeQwgeEw
-DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAf4wHQYDVR0OBBYEFOkCBl7xKHVVG1pF
-9/e0xw1u3p+jMCoGA1UdJQEB/wQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYB
-BQUHAwkwHAYKKwYBBAGDHIISBgQOMAwGCisGAQQBgxyCEgIwDQYHZ4EFBQRkBgQC
-BQAwDQYHZ4EFBQRkDAQCBQAwDQYHZ4EFBQRkCgQCBQAwDQYHZ4EFBQRkCAQCBQAw
-HwYDVR0jBBgwFoAUwPwD2RoMXYTwUgLWyrQ/D0XdWmcwCgYIKoZIzj0EAwMDaAAw
-ZQIwHhAmSvjysvv4azKJU7WLQL6dq1CGOMuR7bCNLOVmtWbn2e3vpf4Y1uJcdLr3
-7Mm1AjEAoYouUWcJRRsBusEfFJhcmBVpV3+/m7Qww0fOjuEovnAtZ7pe0UxIIqXt
-u5od7OuZ
+MIICQzCCAcqgAwIBAgIBATAKBggqhkjOPQQDAzASMRAwDgYDVQQDDAdUZXN0IENB
+MB4XDTI0MDMwODAzMzQzMloXDTM0MDMwNjAzMzQzMlowHzEdMBsGA1UEAwwUVGVz
+dCBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASOyM1mmvfJ
+99Ab8NIuvt+c768TQFu180OWpHuwtiYU2ErNieiHMNiXYQRPDIirsGjV8MSrmyfh
+xiatl92C69rs1FequHFeu4I1aMQ/zOTgjEar6yGaW8p+tdTyozI5UIqjgeYwgeMw
+DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAf4wHQYDVR0OBBYEFF36Tt/a/bCOxAzO
+e4NzX1ItNWFYMCoGA1UdJQEB/wQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYB
+BQUHAwkwHgYKKwYBBAGDHIISBgQQMA4wDAYKKwYBBAGDHIISAjANBgdngQUFBGQG
+BAIFADANBgdngQUFBGQMBAIFADANBgdngQUFBGQKBAIFADANBgdngQUFBGQIBAIF
+ADAfBgNVHSMEGDAWgBTE/XXyaypBglRd5QMisc9Cf/+EyDAKBggqhkjOPQQDAwNn
+ADBkAjAp4MNmX2IH3kSYCbCwlMD4HvGAJa9sb/KkGkY6rY1RdWJJ42DNEJGRGzDM
+OTqEARECMCTWL+ANs+KjQqYs6c/9zNphZfjmnZAeqUbMYbO/WX6EQ1XMCxRUMMuy
+BLLP46iUCw==
 -----END CERTIFICATE-----
diff --git a/certs/slot0/inter.cert.der b/certs/slot0/inter.cert.der
diff --git a/certs/slot0/inter.der b/certs/slot0/inter.der
diff --git a/certs/slot0/inter.key b/certs/slot0/inter.key
@@ -1,6 +1,6 @@
 -----BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAtxP3ecojcjvXr9zy4
-egsfRzLkd6VhfdLEIzWAUO6B0nhmxUXW4qDqb5tdns8IDDuhZANiAATRUns0bJWR
-kFVOX2Jwx8G0fL/5DRX7eChgP69gE01HIBTTNjYKb7rUjZt6EIRxFeY462uufGZR
-lJvZt/Cv1utdGSBX3WYk1wM/4pUvnG1W2T7cPCwa5LSg7XwxWkTnAuI=
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBfKXX4FWx6heIPViuV
+KyTwsofRpYKNcI5OOfAywpF79tabKkaoC9//WLOnTvIY3qyhZANiAASOyM1mmvfJ
+99Ab8NIuvt+c768TQFu180OWpHuwtiYU2ErNieiHMNiXYQRPDIirsGjV8MSrmyfh
+xiatl92C69rs1FequHFeu4I1aMQ/zOTgjEar6yGaW8p+tdTyozI5UIo=
 -----END PRIVATE KEY-----
diff --git a/certs/slot0/inter.key.der b/certs/slot0/inter.key.der
diff --git a/certs/slot0/inter.req b/certs/slot0/inter.req
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBGDCBngIBADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWVkaWF0ZSBDQTB2MBAG
-ByqGSM49AgEGBSuBBAAiA2IABNFSezRslZGQVU5fYnDHwbR8v/kNFft4KGA/r2AT
-TUcgFNM2NgpvutSNm3oQhHEV5jjra658ZlGUm9m38K/W610ZIFfdZiTXAz/ilS+c
-bVbZPtw8LBrktKDtfDFaROcC4qAAMAoGCCqGSM49BAMDA2kAMGYCMQCEo0cLF+0v
-FQmvJA9zFHKw4gxP4f1OJBQiCeThnFZ/sbqUbl20jbdLabqcAFevU4ACMQD9ipte
-rNNTRmbmgdfOvg1q62goiqIGtZusRN0+cHxzTfaQxxqwRxmFh03WK38/3lg=
+MIIBFzCBngIBADAfMR0wGwYDVQQDDBRUZXN0IEludGVybWVkaWF0ZSBDQTB2MBAG
+ByqGSM49AgEGBSuBBAAiA2IABI7IzWaa98n30Bvw0i6+35zvrxNAW7XzQ5ake7C2
+JhTYSs2J6Icw2JdhBE8MiKuwaNXwxKubJ+HGJq2X3YLr2uzUV6q4cV67gjVoxD/M
+5OCMRqvrIZpbyn611PKjMjlQiqAAMAoGCCqGSM49BAMDA2gAMGUCMQDczjOpVn7b
+zQFboCNCt90nbkh8u6+2pWUiXyJoi/afiH/47xleaGvz2mDs3uxn6DQCMGT/ZfZl
+I4kwg1dlcGyBqdBhltzWCiMdAzyAwZgTZ9Tw4YN4GGeOeoNX+vUufiK0hw==
 -----END CERTIFICATE REQUEST-----
diff --git a/src/tcg_concise_evidence_binding.rs b/src/tcg_concise_evidence_binding.rs
@@ -55,7 +55,7 @@ pub struct CertificateUsage {
 // TODO: Handle multiple entries
 fn spdm_cert_oids_parser(i: &[u8]) -> ParseResult<Oid> {
     Sequence::from_der_and_then(i, |i| {
-        return Ok((i, Oid::new(std::borrow::Cow::Borrowed(&i[2..]))));
+        return Ok((i, Oid::new(std::borrow::Cow::Borrowed(&i[4..]))));
     })
 }
 
@@ -225,7 +225,8 @@ pub fn check_tcg_dice_evidence_binding(cert_slot_id: u8) -> Result<CertificateUs
                                 }
                             }
                         } else {
-                            unreachable!();
+                            error!("Extension {:?} is invalid", seq.1);
+                            return Err(());
                         }
                     }
                     Ok(None) => {