When we run checks against the certificate that the requester set we have the following function calls
libspdm_set_cert_verify_certchain()
libspdm_x509_set_cert_certificate_check() ...
libspdm_verify_leaf_cert_spdm_extension()
At which point libspdm_verify_leaf_cert_spdm_extension() checks to make sure the id-DMTF-hardware-identity OID is not set if it's an AliasCert model.
This ends up being incorrect though. If using an AliasCert the SET_CERTIFICATE CertChain (table 93 - section 770) will "contain a partial certificate chain from the root CA to the Device Certificate CA". This means that the leaf certificate of that chain should set the the id-DMTF-hardware-identity OID as it isn't an alias certificate.
At this point the check in libspdm_verify_leaf_cert_spdm_extension() is incorrect.
Following up on https://github.com/DMTF/libspdm/pull/2708#issuecomment-2146372858 this PR fixes the current function documentation to ensure that the use of is_requester_cert is clear. This also skips leaf certificate checks if running set cert on a AliasCert model as we are actually checking a Device Certificate CA.
The Build and Test / build (windows-latest, openssl, x64, Debug, GCC, -DLIBSPDM_ENABLE_CAPABILITY_CERT_CAP failure is unrelated, seems to be a package mirror issue
When we run checks against the certificate that the requester set we have the following function calls
At which point libspdm_verify_leaf_cert_spdm_extension() checks to make sure the id-DMTF-hardware-identity OID is not set if it's an AliasCert model.
This ends up being incorrect though. If using an AliasCert the SET_CERTIFICATE CertChain (table 93 - section 770) will "contain a partial certificate chain from the root CA to the Device Certificate CA". This means that the leaf certificate of that chain should set the the id-DMTF-hardware-identity OID as it isn't an alias certificate.
At this point the check in libspdm_verify_leaf_cert_spdm_extension() is incorrect.
Following up on https://github.com/DMTF/libspdm/pull/2708#issuecomment-2146372858 this PR fixes the current function documentation to ensure that the use of
is_requester_cert
is clear. This also skips leaf certificate checks if running set cert on a AliasCert model as we are actually checking a Device Certificate CA.