Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add length check when traverse certchain in libspdm_x509_verify_cert_chain #2701

Closed
rw8896 opened this issue May 15, 2024 · 6 comments · Fixed by #2718
Closed

Add length check when traverse certchain in libspdm_x509_verify_cert_chain #2701

rw8896 opened this issue May 15, 2024 · 6 comments · Fixed by #2718
Assignees
@rw8896
Labels
enhancement New feature or request

Comments

@rw8896
Copy link
Contributor

rw8896 commented May 15, 2024

libspdm_x509_verify_cert_chain() assumes the input certchain is "One or more ASN.1 DER-encoded X.509 certificates" but it didn't traverse the whole certchain with the code below.

libspdm/os_stub/cryptlib_mbedtls/pk/x509.c

Lines 711 to 716 in ddfd7a1

ret = mbedtls_asn1_get_tag(
&tmp_ptr, cert_chain + cert_chain_length, &asn1_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) {
break;
}

Should it add more check to make sure there is no more data left unchecked? E.g.

if (ret != 0) {
if (current_cert < cert_chain + cert_chain_length)
verify_flag = false;
break;
}
@steven-bellock
Copy link
Contributor

This is a case where the length field in the SPDM Certificate Chain Struct says the size of the certificate chain is X, but when the certificate chain is actually parsed the value is Y, where Y < X? And if that happens then that is considered an error? If we can't come up with any good reason why that should be allowed, then yeah, seems like an OK check.

@rw8896
Copy link
Contributor Author

rw8896 commented May 16, 2024

This is a case where the length field in the SPDM Certificate Chain Struct says the size of the certificate chain is X, but when the certificate chain is actually parsed the value is Y, where Y < X?

Yes, or maybe there are gaps between certificates in the certificate chain, this function will stop before the gap and could also return true without traversing all the certificates down.

And if that happens then that is considered an error?

Yes, I think it should be an error.

@jyao1
Copy link
Member

jyao1 commented May 20, 2024

Agree. If cert chain length is X, but only size Y (where Y < X) is parsed, then it should be treated as an error.

@steven-bellock steven-bellock added the enhancement New feature or request label May 20, 2024
@rw8896
Copy link
Contributor Author

rw8896 commented May 22, 2024

And before calling libspdm_x509_verify_cert(), it should also check if current cert exceeds the end of certchain
if (current_cert + libspdm_x509_verify_cert > cert_chain + cert_chain_length)

libspdm/os_stub/cryptlib_mbedtls/pk/x509.c

Lines 718 to 727 in ddfd7a1

current_cert_len = asn1_len + (tmp_ptr - current_cert);
if (libspdm_x509_verify_cert(current_cert, current_cert_len,
preceding_cert,
preceding_cert_len) == false) {
verify_flag = false;
break;
} else {
verify_flag = true;
}

@steven-bellock
Copy link
Contributor

@rw8896 are you interested in adding this check?

@rw8896
Copy link
Contributor Author

rw8896 commented May 31, 2024

Sure, will do.

rw8896 added a commit to rw8896/libspdm that referenced this issue Jun 3, 2024
@rw8896
Add length check during verify cert chain
217f5d3 
Resolve DMTF#2701
rw8896 added a commit to rw8896/libspdm that referenced this issue Jun 3, 2024
@rw8896
Add length check during verify cert chain
bdc82b8 
Resolve DMTF#2701
@rw8896 rw8896 mentioned this issue Jun 3, 2024
Merged
rw8896 added a commit to rw8896/libspdm that referenced this issue Jun 4, 2024
@rw8896
Add length check during verify cert chain
5fa1c90 
Resolve DMTF#2701
rw8896 added a commit to rw8896/libspdm that referenced this issue Jun 12, 2024
@rw8896
Add length check during verify cert chain
1efef79 
Resolve DMTF#2701
rw8896 added a commit to rw8896/libspdm that referenced this issue Jun 12, 2024
@rw8896
Add length check during verify cert chain
120bc6e 
Resolve DMTF#2701

Signed-off-by: Ray Wang <[email protected]>
jyao1 pushed a commit that referenced this issue Jun 13, 2024
@rw8896 @jyao1
Add length check during verify cert chain
076c740 
Resolve #2701

Signed-off-by: Ray Wang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rw8896 rw8896

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add length check during verify cert chain rw8896/libspdm
3 participants
@steven-bellock @jyao1 @rw8896