Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Add an initial Open DICE profile implementation. #15

Merged
merged 2 commits into from
Jun 29, 2023
Merged

[RFC] Add an initial Open DICE profile implementation. #15

merged 2 commits into from
Jun 29, 2023

Conversation

setrofim
Copy link
Contributor

@setrofim setrofim commented Jun 9, 2023

Add an innitial implmentation of validaiton and evidence extraction of Open DICE profile certificate chains.

@setrofim
Copy link
Contributor Author

setrofim commented Jun 9, 2023

NOTE: This depends on COSE_Key implemented by veraison/go-cose#146 and cannot be merged until that has been integated into main and the dependencies have been adjusted accordingly.

@thomas-fossati thomas-fossati force-pushed the setrofim branch 5 times, most recently from cb18e25 to 559d045 Compare June 14, 2023 21:14
@SampoSovio
Copy link

Hi Sergei,

This looks good i have suggestion related to ExtractOpenDiceChainFromX509

You have following loop there:

for i, cert := range certs {
		var odCert OpenDiceX509CdiCert

		if err = odCert.PopulateFromX509Cert(cert); err != nil {
			return nil, fmt.Errorf(
				"cert at index %d does appear to match Open DICE profile: %w",
				i, err,
			)
		}
		if verify {
			if _, err = odCert.Verify(verifOpts); err != nil {
				return nil, fmt.Errorf(
					"failed to verify cert at index %d: %w",
					i, err,
				)
			}
			verifOpts.Intermediates.AddCert(&odCert.Certificate)
		}
		result = append(result, odCert.GetEntry())
	}
}

If i undestand this code properly you are validating beginning of chain again and again. I would suggest following optimization:

var leaf x509.Certificate
for i, cert := range certs {
	var odCert OpenDiceX509CdiCert

	if err = odCert.PopulateFromX509Cert(cert); err != nil {
		return nil, fmt.Errorf(
			"cert at index %d does appear to match Open DICE profile: %w",
			i, err,
		)
	}
	if verify {
		verifOpts.Intermediates.AddCert(&odCert.Certificate)
		if len(certs) > 0 && i == len(certs)-1 {
			leaf = odCert.Certificate
		}
	}
	result = append(result, odCert.GetEntry())
}
if verify {
	if _, err = leaf.Verify(verifOpts); err != nil {
		return nil, fmt.Errorf(
			"failed to verify cert: %w",
			err,
		)
	}
}

Following test passes: func Test_ExtractOpenDiceChainFromX509(t *testing.T)

If you change line 278 to be:

assert.EqualError(t, err, "failed to verify cert: x509: certificate signed by unknown authority")

@setrofim
Copy link
Contributor Author

Hi Sampo,

You're absolutely right, this was re-verifying the chain at each "segment". I've implemented your suggestion with a minor tweak. Thank you!

@setrofim
Rename "dice" to "tcg"
88fe7e8 
Rename the source files for the TCG DICE extension in preparation to
adding non-TCG related stuff.

Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
thomas-fossati
thomas-fossati approved these changes Jun 21, 2023
View reviewed changes
Copy link
Contributor

@thomas-fossati thomas-fossati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@setrofim
Add Open DICE cert chains and TCB Info
181e204 
- Add validation and claim extraction for Open DICE X.509 and CBOR
  certificate chains.
- Add TCB into claim extension definition.

Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
@setrofim setrofim merged commit 767bbd6 into main Jun 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomas-fossati thomas-fossati thomas-fossati approved these changes

@yogeshbdeshpande yogeshbdeshpande Awaiting requested review from yogeshbdeshpande

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@setrofim @SampoSovio @thomas-fossati