From f40d484ad3daa19962746e4d292b5238649b9fc0 Mon Sep 17 00:00:00 2001
From: Wenxing Hou <wenxing.hou@intel.com>
Date: Mon, 4 Mar 2024 09:39:24 +0800
Subject: [PATCH 1/2] Fix openssl verify cert

Fix the issue: #2588

Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
---
 os_stub/cryptlib_openssl/internal_crypt_lib.h |  3 +-
 os_stub/cryptlib_openssl/pk/x509.c            | 30 +++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/os_stub/cryptlib_openssl/internal_crypt_lib.h b/os_stub/cryptlib_openssl/internal_crypt_lib.h
index 6077987febf..d7a4fdf3cb6 100644
--- a/os_stub/cryptlib_openssl/internal_crypt_lib.h
+++ b/os_stub/cryptlib_openssl/internal_crypt_lib.h
@@ -1,6 +1,6 @@
 /**
  *  Copyright Notice:
- *  Copyright 2021-2022 DMTF. All rights reserved.
+ *  Copyright 2021-2024 DMTF. All rights reserved.
  *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
  **/
 
@@ -16,6 +16,7 @@
 #include "library/malloclib.h"
 #include "library/debuglib.h"
 #include "library/cryptlib.h"
+#include "library/spdm_crypt_lib.h"
 
 #include "crt_support.h"
 
diff --git a/os_stub/cryptlib_openssl/pk/x509.c b/os_stub/cryptlib_openssl/pk/x509.c
index e6628fea0ac..b0881520837 100644
--- a/os_stub/cryptlib_openssl/pk/x509.c
+++ b/os_stub/cryptlib_openssl/pk/x509.c
@@ -2033,6 +2033,11 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l
     size_t preceding_cert_len;
     bool verify_flag;
     int32_t ret;
+    uint8_t *root_ptr;
+    uint8_t *chain_ptr;
+    size_t root_obj_len;
+    size_t chain_obj_len;
+    uint8_t *end;
 
     preceding_cert = root_cert;
     preceding_cert_len = root_cert_length;
@@ -2041,6 +2046,31 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l
     length = 0;
     current_cert_len = 0;
 
+    root_ptr = (uint8_t*)(size_t)root_cert;
+    end = root_ptr + root_cert_length;
+    verify_flag = libspdm_asn1_get_tag(
+        &root_ptr, end, &root_obj_len,
+        LIBSPDM_CRYPTO_ASN1_SEQUENCE | LIBSPDM_CRYPTO_ASN1_CONSTRUCTED);
+    if (!verify_flag) {
+        return false;
+    }
+
+    chain_ptr = (uint8_t*)(size_t)cert_chain;
+    end = chain_ptr + cert_chain_length;
+    verify_flag = libspdm_asn1_get_tag(
+        &chain_ptr, end, &chain_obj_len,
+        LIBSPDM_CRYPTO_ASN1_SEQUENCE | LIBSPDM_CRYPTO_ASN1_CONSTRUCTED);
+    if (!verify_flag) {
+        return false;
+    }
+
+    /*only self_signed cert is accepted when these two cert are same*/
+    if ((chain_obj_len == root_obj_len) &&
+        (libspdm_consttime_is_mem_equal(root_ptr, chain_ptr, root_obj_len)) &&
+        (!libspdm_is_root_certificate(root_cert, root_cert_length))) {
+        return false;
+    }
+
     verify_flag = false;
     while (true) {
         tmp_ptr = current_cert;

From a021b48e0ba30da06be2aea6c3da2ceff50b15af Mon Sep 17 00:00:00 2001
From: Wenxing Hou <wenxing.hou@intel.com>
Date: Mon, 4 Mar 2024 09:40:21 +0800
Subject: [PATCH 2/2] Add unit_test for openssl verify cert

Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
---
 unit_test/test_crypt/x509_verify.c | 49 ++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/unit_test/test_crypt/x509_verify.c b/unit_test/test_crypt/x509_verify.c
index 07606efa6dd..7c15a4560ec 100644
--- a/unit_test/test_crypt/x509_verify.c
+++ b/unit_test/test_crypt/x509_verify.c
@@ -172,6 +172,55 @@ bool libspdm_validate_crypt_x509(char *Path, size_t len)
         libspdm_my_print("[Pass]\n");
     }
 
+    LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
+                   "- X509 Certificate CA cert verify itself Verification ... "));
+    status = libspdm_x509_verify_cert_chain((const uint8_t *)test_ca_cert, test_ca_cert_len,
+                                            (const uint8_t *)test_ca_cert,
+                                            test_ca_cert_len);
+    if (!status) {
+        libspdm_my_print("[Fail]\n");
+        goto cleanup;
+    } else {
+        libspdm_my_print("[Pass]\n");
+    }
+
+    LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
+                   "- X509 Certificate CA cert verify itself Verification with large cert len"));
+    status = libspdm_x509_verify_cert_chain((const uint8_t *)test_ca_cert, test_ca_cert_len,
+                                            (const uint8_t *)test_ca_cert,
+                                            test_ca_cert_len + 1);
+    if (!status) {
+        libspdm_my_print("[Fail]\n");
+        goto cleanup;
+    } else {
+        libspdm_my_print("[Pass]\n");
+    }
+
+    LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
+                   "- X509 Certificate end cert verify itself Verification ... "));
+    status = libspdm_x509_verify_cert_chain((const uint8_t *)test_end_cert, test_end_cert_len,
+                                            (const uint8_t *)test_end_cert,
+                                            test_end_cert_len);
+    if (status) {
+        libspdm_my_print("[Fail]\n");
+        goto cleanup;
+    } else {
+        libspdm_my_print("[Pass]\n");
+    }
+
+    LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
+                   "- X509 Certificate end cert verify itself Verification with large cert len"));
+    status = libspdm_x509_verify_cert_chain((const uint8_t *)test_end_cert, test_end_cert_len,
+                                            (const uint8_t *)test_end_cert,
+                                            test_end_cert_len + 1);
+    if (status) {
+        libspdm_my_print("[Fail]\n");
+        goto cleanup;
+    } else {
+        libspdm_my_print("[Pass]\n");
+    }
+
+
     /* X509 Get leaf certificate from cert_chain Verificate*/
     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
                    "- X509 Certificate Chain get leaf certificate Verification ... "));