search

jyao1 / openspdm

This openspdm is a sample implementation for the DMTF SPDM specification.
Other
20 stars 22 forks source link

Need fix Shorter1024B_*.der - add issuer name and change RSA768 algo #133

Closed jyao1 closed 3 years ago

jyao1 commented 3 years ago

See test case failure https://github.com/jyao1/openspdm/issues/91.

This test case will read Shorter1024B_bundle_responder.certchain.der. But it fails at SpdmVerifyCertificateBuffer(), because mbedTls x509_crt_parse_der_core() need check the issuer name.

    if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
    {
        mbedtls_x509_crt_free( crt );
        return( ret );
    }

    crt->issuer_raw.len = p - crt->issuer_raw.p;

The cert dump is below. It also used an unsupported RSA768 algorithm.

jyao1@jyao1-MOBL:~/openspdm/openspdm/OsTest/TestKey/LongChains$ openssl x509 -in Shorter1024B_bundle_responder.certchain.der -inform der -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            22:9b:92:51:3c:53:7b:9a:5c:7b:24:1d:5c:21:f8:ce:8e:57:ca:87
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
        Validity
            Not Before: Nov 18 18:48:08 2020 GMT
            Not After : Nov 16 18:48:08 2030 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (768 bit)
                Modulus:
                    00:d2:ed:9c:66:2d:15:c4:ff:d7:a8:12:32:17:2d:
                    6e:a0:b9:91:8a:aa:ef:17:c2:17:70:e1:58:cb:8a:
                    94:7d:3e:25:ce:a2:65:1e:0f:5b:7e:b0:69:63:48:
                    24:25:3a:06:4e:71:86:7f:de:d2:4c:6b:5a:b4:fc:
                    45:4e:f5:91:ba:65:19:da:03:60:a5:8a:cd:18:c2:
                    b8:e8:39:bd:bf:58:62:a6:0b:ad:24:01:1b:63:7d:
                    eb:f4:0f:3d:43:3b:b1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D8:D1:6E:C5:7E:C7:F0:2A:7C:88:97:78:BD:06:70:2F:81:EF:07:1F
            X509v3 Authority Key Identifier:
                keyid:D8:D1:6E:C5:7E:C7:F0:2A:7C:88:97:78:BD:06:70:2F:81:EF:07:1F

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         21:5b:f0:7a:b0:15:18:d1:c7:39:79:62:d5:d8:82:19:aa:de:
         8b:4b:e1:b0:39:83:31:8e:3b:b6:c1:ef:d0:ee:c8:1d:c6:08:
         f0:ed:c7:42:e4:10:70:6f:f7:fd:aa:6e:11:11:f0:68:d8:37:
         9b:2e:7a:ef:8a:0b:91:da:2f:5b:dc:01:45:a5:12:af:b7:06:
         8b:c5:1b:75:64:df:c8:f4:1c:3f:c4:28:97:90:11:a1:25:51:
         10:ab:71:90:c1:6c

[Recommendation] Test case fix: Please use RSA2048 at least. Please give issuer name. Please test with MbedTls.

jyao1 commented 3 years ago

the short cert is updated. 2 failed test cases are uncommented.