DMTF · jyao1 · Mar 7, 2024 · Mar 4, 2024 · Mar 4, 2024
@@ -1,6 +1,6 @@
 /**
  *  Copyright Notice:
- *  Copyright 2021-2022 DMTF. All rights reserved.
+ *  Copyright 2021-2024 DMTF. All rights reserved.
  *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
  **/
 
@@ -16,6 +16,7 @@
 #include "library/malloclib.h"
 #include "library/debuglib.h"
 #include "library/cryptlib.h"
+#include "library/spdm_crypt_lib.h"
 
 #include "crt_support.h"
 

@@ -2033,6 +2033,11 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l
     size_t preceding_cert_len;
     bool verify_flag;
     int32_t ret;
+    uint8_t *root_ptr;
+    uint8_t *chain_ptr;
+    size_t root_obj_len;
+    size_t chain_obj_len;
+    uint8_t *end;
 
     preceding_cert = root_cert;
     preceding_cert_len = root_cert_length;
@@ -2041,6 +2046,31 @@ bool libspdm_x509_verify_cert_chain(const uint8_t *root_cert, size_t root_cert_l
     length = 0;
     current_cert_len = 0;
 
+    root_ptr = (uint8_t*)(size_t)root_cert;
+    end = root_ptr + root_cert_length;
+    verify_flag = libspdm_asn1_get_tag(
+        &root_ptr, end, &root_obj_len,
+        LIBSPDM_CRYPTO_ASN1_SEQUENCE | LIBSPDM_CRYPTO_ASN1_CONSTRUCTED);
+    if (!verify_flag) {
+        return false;
+    }
+
+    chain_ptr = (uint8_t*)(size_t)cert_chain;
+    end = chain_ptr + cert_chain_length;
+    verify_flag = libspdm_asn1_get_tag(
+        &chain_ptr, end, &chain_obj_len,
+        LIBSPDM_CRYPTO_ASN1_SEQUENCE | LIBSPDM_CRYPTO_ASN1_CONSTRUCTED);
+    if (!verify_flag) {
+        return false;
+    }
+
+    /*only self_signed cert is accepted when these two cert are same*/
+    if ((chain_obj_len == root_obj_len) &&
+        (libspdm_consttime_is_mem_equal(root_ptr, chain_ptr, root_obj_len)) &&
+        (!libspdm_is_root_certificate(root_cert, root_cert_length))) {
+        return false;
+    }
+
     verify_flag = false;
     while (true) {
         tmp_ptr = current_cert;

@@ -172,6 +172,55 @@ bool libspdm_validate_crypt_x509(char *Path, size_t len)
         libspdm_my_print("[Pass]\n");
     }
 
+    LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
+                   "- X509 Certificate CA cert verify itself Verification ... "));
+    status = libspdm_x509_verify_cert_chain((const uint8_t *)test_ca_cert, test_ca_cert_len,
+                                            (const uint8_t *)test_ca_cert,
+                                            test_ca_cert_len);
+    if (!status) {
+        libspdm_my_print("[Fail]\n");
+        goto cleanup;
+    } else {
+        libspdm_my_print("[Pass]\n");
+    }
+
+    LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
+                   "- X509 Certificate CA cert verify itself Verification with large cert len"));
+    status = libspdm_x509_verify_cert_chain((const uint8_t *)test_ca_cert, test_ca_cert_len,
+                                            (const uint8_t *)test_ca_cert,
+                                            test_ca_cert_len + 1);
+    if (!status) {
+        libspdm_my_print("[Fail]\n");
+        goto cleanup;
+    } else {
+        libspdm_my_print("[Pass]\n");
+    }
+
+    LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
+                   "- X509 Certificate end cert verify itself Verification ... "));
+    status = libspdm_x509_verify_cert_chain((const uint8_t *)test_end_cert, test_end_cert_len,
+                                            (const uint8_t *)test_end_cert,
+                                            test_end_cert_len);
+    if (status) {
+        libspdm_my_print("[Fail]\n");
+        goto cleanup;
+    } else {
+        libspdm_my_print("[Pass]\n");
+    }
+
+    LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
+                   "- X509 Certificate end cert verify itself Verification with large cert len"));
+    status = libspdm_x509_verify_cert_chain((const uint8_t *)test_end_cert, test_end_cert_len,
+                                            (const uint8_t *)test_end_cert,
+                                            test_end_cert_len + 1);
+    if (status) {
+        libspdm_my_print("[Fail]\n");
+        goto cleanup;
+    } else {
+        libspdm_my_print("[Pass]\n");
+    }
+
+
     /* X509 Get leaf certificate from cert_chain Verificate*/
     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
                    "- X509 Certificate Chain get leaf certificate Verification ... "));