search

chipsalliance / caliptra-dpe

High level module that implements DPE and defines high-level traits that are used to communicate with the crypto peripherals and PCRs
Apache License 2.0
16 stars 22 forks source link

Check certificates against zlint. #74

Closed zhalvorsen closed 7 months ago

zhalvorsen commented 1 year ago

We should check our certificates against zlint to make sure we are constructing the certificates correctly.

chrisfenner commented 1 year ago

We could use this bug to track the following fixes in #75:

    verification_test.go:329: [ERROR] RFC5280: Certificates valid through the year 2049 MUST be encoded in UTC time (RFC 5280: 4.1.2.5)
    verification_test.go:329: [WARN] RFC5280: Sub certificates SHOULD include Subject Key Identifier in end entity certs (RFC 5280: 4.2 & 4.2.1.2)
    verification_test.go:329: [ERROR] RFC5280: CAs must support key identifiers and include them in all certificates (RFC 5280: 4.2 & 4.2.1.1)
    verification_test.go:329: [ERROR] RFC5280: CAs must include keyIdentifer field of AKI in all non-self-issued certificates (RFC 5280: 4.2.1.1)
jhand2 commented 1 year ago

3 & 4 should be solved by https://github.com/chipsalliance/caliptra-dpe/issues/80

jhand2 commented 1 year ago

Note that there are still a few errors picked up by the linter. We should try to fix these and then make the linter check fail the test.