libspdm_x509_verify_cert_chain fails for the certificate ecp384/bundle_responder.certchain.der

[AnanyaKallankudlu]

When running the spdm_responder_emu on Ubuntu Linux, there is no issue (I have not used any specific option, all default options, using the certificates provided in the libspdm repository.) When the same spdm_responder_emu is executed on Windows, certificate verification fails with the following log !!! VerifyCertificateChainData - FAIL (cert chain verify failed)!!! The certificate that gets picked up is ecp384/bundle_responder.certchain.der Open SSL version on Ubuntu is 3.0.2 I had first installed OpenSSL 3.0.9 on Windows, then tried with 3.0.2. I have even generated the cerificates freshly on Windows:

1. set OPENSSL_HOME=C:\openssl-3.0.2\
2. set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf
3. using commands specified in the script auto_gen_cert.sh Am I missing something?

[Wenxing-hou]

In my understanding, there is no need for further operations. The emu will pass when follow the https://github.com/DMTF/spdm-emu/blob/main/README.md

Please try to debug the root cause of !!! VerifyCertificateChainData - FAIL (cert chain verify failed)!!!, such as cert time check.

Thanks!

[AnanyaKallankudlu]

Please find stack trace below:

>   spdmResponderEmu.exe!X509_STORE_CTX_get1_issuer(x509_st * * issuer, x509_store_ctx_st * ctx, x509_st * x) Line 738  C
    [Inline Frame] spdmResponderEmu.exe!get1_trusted_issuer(x509_st * *) Line 2981  C
    spdmResponderEmu.exe!build_chain(x509_store_ctx_st * ctx) Line 3103 C
    spdmResponderEmu.exe!verify_chain(x509_store_ctx_st * ctx) Line 221 C
    spdmResponderEmu.exe!X509_verify_cert(x509_store_ctx_st * ctx) Line 302 C
    spdmResponderEmu.exe!libspdm_x509_verify_cert(const unsigned char * cert, unsigned __int64 cert_size, const unsigned char * ca_cert, unsigned __int64 ca_cert_size) Line 1948   C
    spdmResponderEmu.exe!libspdm_x509_verify_cert_chain(const unsigned char * root_cert, unsigned __int64 root_cert_length, const unsigned char * cert_chain, unsigned __int64 cert_chain_length) Line 2134 C
    spdmResponderEmu.exe!libspdm_verify_cert_chain_data(unsigned char * cert_chain_data, unsigned __int64 cert_chain_data_size, unsigned int base_asym_algo, unsigned int base_hash_algo, bool is_requester_cert, bool is_device_cert_model) Line 1625  C
    spdmResponderEmu.exe!libspdm_read_responder_public_certificate_chain_per_slot(unsigned char slot_id, unsigned int base_hash_algo, unsigned int base_asym_algo, void * * data, unsigned __int64 * size, void * * hash, unsigned __int64 * hash_size) Line 916    C
    spdmResponderEmu.exe!spdm_server_connection_state_callback(void * spdm_context, libspdm_connection_state_t connection_state) Line 418   C
    spdmResponderEmu.exe!libspdm_trigger_connection_state_callback(libspdm_context_t * spdm_context, const libspdm_connection_state_t connection_state) Line 367    C
    spdmResponderEmu.exe!libspdm_set_connection_state(libspdm_context_t * spdm_context, libspdm_connection_state_t connection_state) Line 382   C
    spdmResponderEmu.exe!libspdm_get_response_algorithms(libspdm_context_t * spdm_context, unsigned __int64 request_size, const void * request, unsigned __int64 * response_size, void * response) Line 872 C
    spdmResponderEmu.exe!libspdm_build_response(void * spdm_context, const unsigned int * session_id, bool is_app_message, unsigned __int64 * response_size, void * * response) Line 605    C
    spdmResponderEmu.exe!libspdm_responder_dispatch_message(void * spdm_context) Line 68    C
    spdmResponderEmu.exe!platform_server(const unsigned __int64 socket) Line 33 C
    spdmResponderEmu.exe!platform_server_routine(unsigned short port_number) Line 217   C
    spdmResponderEmu.exe!main(int argc, char * * argv) Line 257 C
    [External Code]

It is failing in C:\openssl-3.0.2\crypto\x509\x509_lu.c in line number 736 below:

725 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
726 {
727     const X509_NAME *xn;
728     X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL;
729     X509_STORE *store = ctx->store;
730     int i, ok, idx, ret, nmatch = 0;
731
732     if (obj == NULL)
733         return -1;
734     *issuer = NULL;
735     xn = X509_get_issuer_name(x);
736     ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj);
737     if (ok != 1) {
738         X509_OBJECT_free(obj);
739         return 0;
740     }
741     /* If certificate matches and is currently valid all OK */
742     if (ctx->check_issued(ctx, x, obj->data.x509)) {
743         if (ossl_x509_check_cert_time(ctx, obj->data.x509, -1)) {
744             *issuer = obj->data.x509;
745             /* |*issuer| has taken over the cert reference from |obj| */
746             obj->type = X509_LU_NONE;
747             X509_OBJECT_free(obj);
748             return 1;
749         }
750     }

In line number 736, ok is 0. So even before proceeding to check cert time, there is a failure.

And the stack trace on Ubuntu with openssl 3.0.9:

736         ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj);
(gdb) n
737         if (ok != 1) {
(gdb) p ok
$1 = 1
(gdb) bt
#0  X509_STORE_CTX_get1_issuer (issuer=0x7fffffffd6a0, ctx=0x874f80, x=0x849cc0) at crypto/x509/x509_lu.c:737
#1  0x000000000051efb9 in get1_trusted_issuer (cert=0x849cc0, ctx=0x874f80, issuer=0x7fffffffd6a0) at crypto/x509/x509_vfy.c:2981
#2  build_chain (ctx=0x874f80) at crypto/x509/x509_vfy.c:3102
#3  0x0000000000520be6 in verify_chain (ctx=0x874f80) at crypto/x509/x509_vfy.c:216
#4  0x0000000000521cb2 in X509_verify_cert (ctx=0x874f80) at crypto/x509/x509_vfy.c:295
#5  0x000000000048a9b4 in libspdm_x509_verify_cert (
    cert=0x84a690 "0\202\001\324\060\202\001Z\240\003\002\001\002\002\024!A\335N\354\370\031b$.~֮d\313)]ĐQ0\n\006\b*\206H\316=\004\003\003\060!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0\036\027\r230420011354Z\027\r330417011354Z0!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0v0\020\006\a*\206H\316=\002\001\006\005+\201\004", cert_size=472,
    ca_cert=0x84a690 "0\202\001\324\060\202\001Z\240\003\002\001\002\002\024!A\335N\354\370\031b$.~֮d\313)]ĐQ0\n\006\b*\206H\316=\004\003\003\060!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0\036\027\r230420011354Z\027\r330417011354Z0!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0v0\020\006\a*\206H\316=\002\001\006\005+\201\004", ca_cert_size=472)
    at /home/akallank/spdm-emu/libspdm/os_stub/cryptlib_openssl/pk/x509.c:1940
#6  0x000000000048ad14 in libspdm_x509_verify_cert_chain (
    root_cert=0x84a690 "0\202\001\324\060\202\001Z\240\003\002\001\002\002\024!A\335N\354\370\031b$.~֮d\313)]ĐQ0\n\006\b*\206H\316=\004\003\003\060!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0\036\027\r230420011354Z\027\r330417011354Z0!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0v0\020\006\a*\206H\316=\002\001\006\005+\201\004", root_cert_length=472,
    cert_chain=0x84a690 "0\202\001\324\060\202\001Z\240\003\002\001\002\002\024!A\335N\354\370\031b$.~֮d\313)]ĐQ0\n\006\b*\206H\316=\004\003\003\060!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0\036\027\r230420011354Z\027\r330417011354Z0!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0v0\020\006\a*\206H\316=\002\001\006\005+\201\004", cert_chain_length=1539)
    at /home/akallank/spdm-emu/libspdm/os_stub/cryptlib_openssl/pk/x509.c:2127
#7  0x000000000049248c in libspdm_verify_cert_chain_data (
    cert_chain_data=0x84a690 "0\202\001\324\060\202\001Z\240\003\002\001\002\002\024!A\335N\354\370\031b$.~֮d\313)]ĐQ0\n\006\b*\206H\316=\004\003\003\060!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0\036\027\r230420011354Z\027\r330417011354Z0!1\037\060\035\006\003U\004\003\f\026DMTF libspdm ECP384 CA0v0\020\006\a*\206H\316=\002\001\006\005+\201\004", cert_chain_data_size=1539,
    base_asym_algo=128, base_hash_algo=2, is_requester_cert=false, is_device_cert_model=true)
    at /home/akallank/spdm-emu/libspdm/library/spdm_crypt_lib/libspdm_crypt_cert.c:1622
#8  0x000000000049c998 in libspdm_read_responder_public_certificate_chain (base_hash_algo=2, base_asym_algo=128,
    data=0x7fffffffd9e8, size=0x7fffffffd9d8, hash=0x0, hash_size=0x0)
    at /home/akallank/spdm-emu/libspdm/os_stub/spdm_device_secret_lib_sample/cert.c:455
#9  0x0000000000468d59 in spdm_server_connection_state_callback (spdm_context=0x82f6b0,
    connection_state=LIBSPDM_CONNECTION_STATE_NEGOTIATED)
    at /home/akallank/spdm-emu/spdm_emu/spdm_responder_emu/spdm_responder_spdm.c:406
#10 0x0000000000470951 in libspdm_trigger_connection_state_callback (spdm_context=0x82f6b0, connection_state=LIBSPDM_CONNECTION_STATE_NEGOTIATED) at /home/akallank/spdm-emu/libspdm/library/spdm_responder_lib/libspdm_rsp_receive_send.c:364
#11 0x0000000000470994 in libspdm_set_connection_state (spdm_context=0x82f6b0, connection_state=LIBSPDM_CONNECTION_STATE_NEGOTIATED) at /home/akallank/spdm-emu/libspdm/library/spdm_responder_lib/libspdm_rsp_receive_send.c:380
#12 0x0000000000476234 in libspdm_get_response_algorithms (spdm_context=0x82f6b0, request_size=48, request=0x837080, response_size=0x7fffffffdc50, response=0x835e40) at /home/akallank/spdm-emu/libspdm/library/spdm_responder_lib/libspdm_rsp_algorithms.c:870
#13 0x0000000000470fed in libspdm_build_response (spdm_context=0x82f6b0, session_id=0x0, is_app_message=false, response_size=0x7fffffffdd18, response=0x7fffffffdd20) at /home/akallank/spdm-emu/libspdm/library/spdm_responder_lib/libspdm_rsp_receive_send.c:605
#14 0x000000000046eef3 in libspdm_responder_dispatch_message (spdm_context=0x82f6b0) at /home/akallank/spdm-emu/libspdm/library/spdm_responder_lib/libspdm_rsp_communication.c:68
#15 0x000000000046961e in platform_server (socket=4) at /home/akallank/spdm-emu/spdm_emu/spdm_responder_emu/spdm_responder_emu.c:33
#16 0x0000000000469aa1 in platform_server_routine (port_number=2323) at /home/akallank/spdm-emu/spdm_emu/spdm_responder_emu/spdm_responder_emu.c:217
#17 0x0000000000469bc3 in main (argc=1, argv=0x7fffffffdf38) at /home/akallank/spdm-emu/spdm_emu/spdm_responder_emu/spdm_responder_emu.c:257

[Wenxing-hou]

Hi @AnanyaKallankudlu . I am trying to install OpenSSL in my Windows machine.

But I find the Windows machine already have OpenSSL actually. https://stackoverflow.com/questions/50625283/how-to-install-openssl-in-windows-10 C:\Program Files\Git\usr\bin\openssl.exe

Please don't install the OpenSSL again and don't set the environment variables. Just try the emu. Thanks.

[AnanyaKallankudlu]

Hi @Wenxing-hou , Thanks a lot for your response. I was creating a Visual C++ project using libspdm and had linked wrongly with cryptstublib_dummy.lib in addition to cryptlib_openssl.lib. I removed the stub library and certificate verification is proceeding fine. Sorry for the trouble. Thanks