Always include authority key identifier and subject key identifier

chipsalliance · Jan 24, 2025 · b39178f · b39178f
1 parent fa2d61f
commit b39178f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 16 deletions.
diff --git a/dpe/src/x509.rs b/dpe/src/x509.rs
@@ -511,7 +511,7 @@ impl CertWriter<'_> {
         tagged: bool,
         is_x509: bool,
     ) -> Result<usize, DpeErrorCode> {
-        if !measurements.is_ca || !is_x509 {
+        if !is_x509 {
             return Ok(0);
         }
         let aki_size = Self::get_key_identifier_size(
@@ -1597,7 +1597,7 @@ impl CertWriter<'_> {
         measurements: &MeasurementData,
         is_x509: bool,
     ) -> Result<usize, DpeErrorCode> {
-        if !measurements.is_ca || !is_x509 {
+        if !is_x509 {
             return Ok(0);
         }
 
@@ -2975,9 +2975,6 @@ pub(crate) mod tests {
         }
 
         match cert.get_extension_unique(&oid!(2.5.29 .35)) {
-            Ok(Some(_)) => {
-                panic!("authority key identifier extensions found for non CA certificate")
-            }
             Err(_) => panic!("multiple authority key identifier extensions found"),
             _ => (),
         }

diff --git a/verification/testing/certifyKey.go b/verification/testing/certifyKey.go
@@ -421,15 +421,11 @@ func checkCertifyKeyAuthorityKeyIdentifierExtension(t *testing.T, extensions []p
 	if err != nil {
 		t.Errorf("[ERROR]: Failed to retrieve AuthorityKeyIdentifier extension: %v", err)
 	}
-	if ca {
-		if aki.KeyIdentifier == nil {
-			t.Fatal("[ERROR]: The certificate is a CA but the AuthorityKeyIdentifier extension is not present.")
-		}
-		if !reflect.DeepEqual(aki.KeyIdentifier, IssuerSki) {
-			t.Errorf("[ERROR]: The value of the authority key identifier %v is not equal to the issuer's subject key identifier %v", aki, IssuerSki)
-		}
-	} else if !ca && aki.KeyIdentifier != nil {
-		t.Errorf("[ERROR]: The certificate is not a CA but the AuthorityKeyIdentifier extension is present.")
+	if aki.KeyIdentifier == nil {
+		t.Fatal("[ERROR]: The certificate is a CA but the AuthorityKeyIdentifier extension is not present.")
+	}
+	if !reflect.DeepEqual(aki.KeyIdentifier, IssuerSki) {
+		t.Errorf("[ERROR]: The value of the authority key identifier %v is not equal to the issuer's subject key identifier %v", aki, IssuerSki)
 	}
 }
 
@@ -490,8 +486,6 @@ func checkCertificateStructure(t *testing.T, certBytes []byte) *x509.Certificate
 			// We will need to truncate the serial numbers for those certs and
 			// then enable this lint.
 			"e_subject_dn_serial_number_max_length",
-			// CertifKey does not support CA certificates.
-			"e_ext_authority_key_identifier_no_key_identifier",
 			// subject key identifiers are optional in leaf certificates.
 			"w_ext_subject_key_identifier_missing_sub_cert",
 		},