On Tue, Oct 03, 2023 at 04:04:55PM +0100, Jonathan Cameron wrote:
> On Thu, 28 Sep 2023 19:32:39 +0200 Lukas Wunner <lukas@xxxxxxxxx> wrote:
> > PCIe r6.1 sec 6.31.3 stipulates requirements for X.509 Leaf Certificates
> > presented by devices, in particular the presence of a Subject Alternative
> > Name extension with a name that encodes the Vendor ID, Device ID, Device
> > Serial Number, etc.
>
> Lets you do any of
> * What you have here
> * Reference Integrity Manifest, e.g. see Trusted Computing Group
> * A pointer to a location where such a Reference Integrity Manifest can be
> obtained.
>
> So this text feels a little strong though I'm fine with only support the
> Subject Alternative Name bit for now. Whoever has one of the other options
> can add that support :)
I intend to amend the commit message as follows. If anyone believes
this is inaccurate, please let me know:
Side note: Instead of a Subject Alternative Name, Leaf Certificates may
include "a Reference Integrity Manifest, e.g., see Trusted Computing
Group" or "a pointer to a location where such a Reference Integrity
Manifest can be obtained" (PCIe r6.1 sec 6.31.3).
A Reference Integrity Manifest contains "golden" measurements which can
be compared to actual measurements retrieved from a device. It serves a
different purpose than the Subject Alternative Name, hence it is unclear
why the spec says only either of them is necessary. It is also unclear
how a Reference Integrity Manifest shall be encoded into a certificate.
Ignore the Reference Integrity Manifest requirement until this confusion
is resolved by a spec update.
> I haven't looked asn.1 recently enough to have any confidence on
> a review of that bit...
> So, for everything except the asn.1
> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
In case it raises the confidence in that portion of the patch,
I have tested it successfully not just with certificates containing
a single CMA otherName, but also:
- a single otherName with a different OID
- multiple otherNames with a mix of CMA and other OIDs
- multiple otherNames plus additional unrelated dNSNames
- no Subject Alternative Name
Getting the IMPLICIT annotations right was a bit nontrivial.
It turned out that the existing crypto/asymmetric_keys/x509_akid.asn1
got that wrong as well, so I fixed it up as a byproduct of this series:
https://git.kernel.org/herbert/cryptodev-2.6/c/a1e452026e6d
The debug experience made me appreciate the kernel's ASN.1 compiler
and parser though: Their code is surprisingly small, the generated
output of the compiler is quite readable and the split architecture
with a compiler+parser feels much safer than what openssl does.
Thanks,
Lukas
