search

DMTF / libspdm

BSD 3-Clause "New" or "Revised" License
90 stars 94 forks source link

Add length check during verify cert chain #2718

Closed rw8896 closed 1 month ago

rw8896 commented 1 month ago

Resolve #2701

steven-bellock commented 1 month ago

If possible the comparison should be exact.

  1. Calculate the size of the entire certificate chain via x509 parsing.
  2. If the size in step 1 is not equal to the size reported by the SPDM message then validation fails, else it passes.
rw8896 commented 1 month ago

If possible the comparison should be exact.

  1. Calculate the size of the entire certificate chain via x509 parsing.
  2. If the size in step 1 is not equal to the size reported by the SPDM message then validation fails, else it passes.

I think this commit already did exact checking:

  1. During iterating the cert chain, check the x509 parsed length of each cert and make sure no cert will exceed the cert chain.
  2. After parsing all the certificates, check if there is any remaining data left in the cert chain.

Hence the total cert size can't exceed or be less than the whole cert chain length and must be exact the same as the cert chain length.