-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add length check when traverse certchain in libspdm_x509_verify_cert_chain #2701
Comments
This is a case where the |
Yes, or maybe there are gaps between certificates in the certificate chain, this function will stop before the gap and could also return true without traversing all the certificates down.
Yes, I think it should be an error. |
Agree. If cert chain length is X, but only size Y (where Y < X) is parsed, then it should be treated as an error. |
And before calling libspdm_x509_verify_cert(), it should also check if current cert exceeds the end of certchain libspdm/os_stub/cryptlib_mbedtls/pk/x509.c Lines 718 to 727 in ddfd7a1
|
@rw8896 are you interested in adding this check? |
Sure, will do. |
Resolve DMTF#2701 Signed-off-by: Ray Wang <[email protected]>
Resolve #2701 Signed-off-by: Ray Wang <[email protected]>
libspdm_x509_verify_cert_chain() assumes the input certchain is "One or more ASN.1 DER-encoded X.509 certificates" but it didn't traverse the whole certchain with the code below.
libspdm/os_stub/cryptlib_mbedtls/pk/x509.c
Lines 711 to 716 in ddfd7a1
Should it add more check to make sure there is no more data left unchecked? E.g.
if (ret != 0) {
if (current_cert < cert_chain + cert_chain_length)
verify_flag = false;
break;
}
The text was updated successfully, but these errors were encountered: