arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-07-20 13:38:11 +00:00
Code Issues Releases Wiki Activity

fixup! feat(core/prodtest): Check device certificate chain integrity using authority key identifier.

Browse Source
This commit is contained in:
Andrew Kozlik 2023-12-13 15:34:47 +01:00
parent 823982815a
commit a67cbcffc3
1 changed files with 37 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
core/embed/prodtest/optiga_prodtest.c
View File

@ -552,72 +552,60 @@ static const uint8_t ECDSA_WITH_SHA256[] = {
}; };
// clang-format on // clang-format on
static bool get_authority_key_digest(DER_ITEM *tbs_cert, static bool get_cert_extensions(DER_ITEM *tbs_cert, DER_ITEM *extensions) {
const uint8_t **authority_key_digest) {
// Find the certificate extensions in the tbsCertificate. // Find the certificate extensions in the tbsCertificate.
DER_ITEM cert_item = {0}; DER_ITEM cert_item = {0};
bool found = false;
while (der_read_item(&tbs_cert->buf, &cert_item)) { while (der_read_item(&tbs_cert->buf, &cert_item)) {
if (cert_item.id == DER_X509_EXTENSIONS) { if (cert_item.id == DER_X509_EXTENSIONS) {
found = true; // Open the extensions sequence.
break; return der_read_item(&cert_item.buf, extensions) &&
extensions->id == DER_SEQUENCE;
} }
} }
return false;
}
if (!found) { static bool get_extension_value(const uint8_t *extension_oid,
size_t extension_oid_size, DER_ITEM *extensions,
DER_ITEM *extension_value) {
// Find the extension with the given OID.
DER_ITEM extension = {0};
while (der_read_item(&extensions->buf, &extension)) {
DER_ITEM extension_id = {0};
if (der_read_item(&extension.buf, &extension_id) &&
extension_id.buf.size == extension_oid_size &&
memcmp(extension_id.buf.data, extension_oid, extension_oid_size) == 0) {
// Find the extension's extnValue, skipping the optional critical flag.
while (der_read_item(&extension.buf, extension_value)) {
if (extension_value->id == DER_OCTET_STRING) {
return true;
}
}
return false;
}
}
return false;
}
static bool get_authority_key_digest(DER_ITEM *tbs_cert,
const uint8_t **authority_key_digest) {
DER_ITEM extensions = {0};
if (!get_cert_extensions(tbs_cert, &extensions)) {
vcp_println("ERROR get_authority_key_digest, extensions not found."); vcp_println("ERROR get_authority_key_digest, extensions not found.");
return false; return false;
} }
// Open the extensions sequence. // Find the authority key identifier extension's extnValue.
DER_ITEM extensions = {0}; DER_ITEM extension_value = {0};
if (!der_read_item(&cert_item.buf, &extensions) || if (!get_extension_value(OID_AUTHORITY_KEY_IDENTIFIER,
extensions.id != DER_SEQUENCE) { sizeof(OID_AUTHORITY_KEY_IDENTIFIER), &extensions,
vcp_println("ERROR get_authority_key_digest, der_read_item extensions."); &extension_value)) {
return false;
}
// Find the authority key identifier extension.
DER_ITEM extension = {0};
found = false;
while (der_read_item(&extensions.buf, &extension)) {
DER_ITEM extension_id = {0};
if (der_read_item(&extension.buf, &extension_id) &&
extension_id.buf.size == sizeof(OID_AUTHORITY_KEY_IDENTIFIER) &&
memcmp(extension_id.buf.data, OID_AUTHORITY_KEY_IDENTIFIER,
sizeof(OID_AUTHORITY_KEY_IDENTIFIER)) == 0) {
found = true;
break;
}
}
if (!found) {
vcp_println( vcp_println(
"ERROR get_authority_key_digest, authority key identifier extension " "ERROR get_authority_key_digest, authority key identifier extension "
"not found."); "not found.");
return false; return false;
} }
// Find the authority key identifier extension's extnValue.
// Conforming CAs must mark this extension as non-critical, so there shouldn't
// be anything between the extension ID and value, but we search for the octet
// string to be on the safe side.
DER_ITEM extension_value = {0};
found = false;
while (der_read_item(&extension.buf, &extension_value)) {
if (extension_value.id == DER_OCTET_STRING) {
found = true;
break;
}
}
if (!found) {
vcp_println(
"ERROR get_authority_key_digest, authority key identifier extnValue "
"not found.");
return false;
}
// Open the AuthorityKeyIdentifier sequence. // Open the AuthorityKeyIdentifier sequence.
DER_ITEM auth_key_id = {0}; DER_ITEM auth_key_id = {0};
if (!der_read_item(&extension_value.buf, &auth_key_id) || if (!der_read_item(&extension_value.buf, &auth_key_id) ||