Bug fixes

backends/guest/common/generate.c

@@ -416,10 +416,11 @@ int create_auth_msg(const uint8_t *new_esl, const size_t new_esl_size,
  * @param buffer_size , length of buffer
  * @param cert_data, the certificate data
  * @param cert_data_size, the length of certificate data
+ * @param is_CA, CA certificate flag
  * @return SUCCESS or err number
  */
 int is_x509certificate(const uint8_t *buffer, const size_t buffer_size, uint8_t **cert_data,
-		       size_t *cert_data_size)
+		       size_t *cert_data_size, bool is_CA)
 {
 	int rc;
 	uint8_t *cert = NULL;
@@ -434,7 +435,7 @@ int is_x509certificate(const uint8_t *buffer, const size_t buffer_size, uint8_t
 		return CERT_FAIL;
 	}
 
-	rc = validate_cert(cert, cert_size);
+	rc = validate_cert(cert, cert_size, is_CA);
 
 	if (rc) {
 		free(cert);
@@ -454,19 +455,21 @@ int is_x509certificate(const uint8_t *buffer, const size_t buffer_size, uint8_t
  * @param buffer_size , length of buffer
  * @param hash_funct, index of hash function information to use for ESL GUID,
  *                   also helps in prevalation, if inform is '[c]ert' then this doesn't matter
+ * @param variable_name, name of the variable
  * @param hash_data, the generated hash data, buffer should be allocated before calling
  * @param hash_data_size, the length of hash data
  * @param esl_guid, signature type of ESL
  * @return SUCCESS or err number
  */
 int get_hash_data(const uint8_t *buffer, const size_t buffer_size, enum signature_type hash_funct,
-		  uint8_t *hash_data, size_t *hash_data_size)
+		  const char *variable_name, uint8_t *hash_data, size_t *hash_data_size)
 {
 	int rc = SUCCESS;
 	size_t crt_size = 0;
 	uint8_t *crt_der = NULL, *out_data = NULL;
 
-	rc = is_x509certificate(buffer, buffer_size, &crt_der, &crt_size);
+	rc = is_x509certificate(buffer, buffer_size, &crt_der, &crt_size,
+				is_trustedcadb_variable(variable_name));
 	if (rc == SUCCESS) {
 		rc = crypto_md_generate_hash(crt_der, crt_size, get_crypto_alg_id(hash_funct),
 					     &out_data, hash_data_size);

backends/guest/common/util.c

@@ -38,6 +38,19 @@ const struct signature_type_info signature_type_list[] = {
 static uint8_t append[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
 static uint8_t replace[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 
+/*
+ * check it whether given variable is trustedcadb
+ */
+bool is_trustedcadb_variable(const char *variable_name)
+{
+	int len = strlen(variable_name);
+
+	if (memcmp(variable_name, TRUSTEDCADB_VARIABLE, len) == 0)
+		return true;
+
+	return false;
+}
+
 void print_timestamp(timestamp_t t)
 {
 	printf("%04d-%02d-%02d %02d:%02d:%02d UTC\n", t.year, t.month, t.day, t.hour, t.minute,

backends/guest/common/validate.c

@@ -175,7 +175,7 @@ static int validate_single_esl(const uint8_t *esl_data, size_t esl_data_size, si
 			print_hex(cert, cert_size);
 		}
 	} else if (is_cert(sig_type))
-		rc = validate_cert(cert, cert_size);
+		rc = validate_cert(cert, cert_size, false);
 	else if (is_sbat(sig_type)) {
 		if (!validate_sbat(cert, cert_size)) {
 			prlog(PR_ERR, "ERROR: SBAT data format is invalid\n");
@@ -297,10 +297,11 @@ int validate_pkcs7(const uint8_t *cert_data, size_t cert_data_len)
  *
  * @param cert_data pointer to certificate data
  * @param cert_data_len size of certtificate data
+ * @param is_CA, CA certificate flag
  * @return CERT_FAIL if certificate had incorrect data
  * @return SUCCESS if certificate is valid else 
  */
-int validate_cert(const uint8_t *cert_data, size_t cert_data_len)
+int validate_cert(const uint8_t *cert_data, size_t cert_data_len, bool is_CA)
 {
 	int rc;
 	crypto_x509_t *x509;
@@ -338,6 +339,12 @@ int validate_cert(const uint8_t *cert_data, size_t cert_data_len)
 	rc = validate_x509_certificate(x509);
 	if (rc)
 		prlog(PR_ERR, "ERROR: x509 certificate is invalid (%d)\n", rc);
+	else if (is_CA) {
+		if (!crypto_x509_is_CA(x509)) {
+			prlog(PR_ERR, "ERROR: it is not CA certificate\n");
+			rc = CERT_FAIL;
+		}
+	}
 
 	if (!rc && verbose >= PR_INFO)
 		rc = print_cert_info(x509);

backends/guest/guest_svc_generate.c

@@ -70,7 +70,8 @@ static int generate_esl(const uint8_t *buffer, size_t buffer_size, struct genera
 			break;
 		}
 
-		rc = get_hash_data(buffer, buffer_size, hash_funct, hash_data, &hash_data_size);
+		rc = get_hash_data(buffer, buffer_size, hash_funct, args->variable_name, hash_data,
+				   &hash_data_size);
 		if (rc != SUCCESS) {
 			prlog(PR_ERR, "ERROR: failed to generate hash from file\n");
 			break;
@@ -91,8 +92,9 @@ static int generate_esl(const uint8_t *buffer, size_t buffer_size, struct genera
 		esl_guid = get_uuid(hash_funct);
 		break;
 	case 'c':
-		if (is_x509certificate(buffer, buffer_size, &cert_data, &cert_data_size) !=
-		    SUCCESS) {
+		rc = is_x509certificate(buffer, buffer_size, &cert_data, &cert_data_size,
+					is_trustedcadb_variable(args->variable_name));
+		if (rc != SUCCESS) {
 			prlog(PR_ERR, "ERROR: could not validate certificate\n");
 			break;
 		}
@@ -167,7 +169,8 @@ static int generate_sha256_hash(const uint8_t *data, size_t data_size, struct ge
 			rc = SUCCESS;
 			break;
 		case 'c':
-			rc = validate_cert(data, data_size);
+			rc = validate_cert(data, data_size,
+					   is_trustedcadb_variable(args->variable_name));
 			break;
 		case 'e':
 			rc = validate_esl(data, data_size);

backends/guest/guest_svc_read.c

@@ -126,7 +126,12 @@ static int read_cert(const uint8_t *cert_data, const size_t cert_data_len, const
 	rc = validate_x509_certificate(x509);
 	if (rc)
 		prlog(PR_ERR, "ERROR: x509 certificate is invalid (%d)\n", rc);
-	else
+	else if (is_trustedcadb_variable(variable_name)) {
+		if (!crypto_x509_is_CA(x509)) {
+			prlog(PR_ERR, "ERROR: it is not CA certificate\n");
+			rc = CERT_FAIL;
+		}
+	} else
 		rc = print_cert_info(x509);
 
 	crypto_x509_free(x509);

backends/guest/guest_svc_validate.c

@@ -123,7 +123,7 @@ int guest_validation_command(int argc, char *argv[])
 
 	switch (args.input_form) {
 	case CERT_FILE:
-		rc = validate_cert(buff, size);
+		rc = validate_cert(buff, size, false);
 		break;
 	case ESL_FILE:
 		rc = validate_esl(buff, size);

backends/guest/include/common/generate.h

@@ -127,10 +127,11 @@ int create_auth_msg(const uint8_t *new_esl, const size_t new_esl_size,
  * @param buffer_size , length of buffer
  * @param cert_data, the certificate data
  * @param cert_data_size, the length of certificate data
+ * @param is_CA, CA certificate flag
  * @return SUCCESS or err number
  */
 int is_x509certificate(const uint8_t *buffer, const size_t buffer_size, uint8_t **cert_data,
-		       size_t *cert_data_size);
+		       size_t *cert_data_size, bool is_CA);
 
 /*
  * generate the hash data using input data
@@ -139,12 +140,13 @@ int is_x509certificate(const uint8_t *buffer, const size_t buffer_size, uint8_t
  * @param buffer_size , length of buffer
  * @param hash_funct, index of hash function information to use for ESL GUID,
  *                   also helps in prevalation, if inform is '[c]ert' then this doesn't matter
+ * @param variable_name, name of the variable
  * @param hash_data, the generated hash data, should already be allocated to hold hash
  * @param hash_data_size, the length of hash data
  * @param esl_guid, signature type of ESL
  * @return SUCCESS or err number
  */
 int get_hash_data(const uint8_t *buffer, const size_t buffer_size, enum signature_type hash_funct,
-		  uint8_t *hash_data, size_t *hash_data_size);
+		  const char *variable_name, uint8_t *hash_data, size_t *hash_data_size);
 
 #endif

backends/guest/include/common/util.h

@@ -16,6 +16,7 @@
 #define KEK_VARIABLE (char *)"KEK"
 #define KEK_LEN 3
 #define SBAT_VARIABLE (char *)"sbat"
+#define TRUSTEDCADB_VARIABLE (char *)"trustedcadb"
 
 static const uuid_t PKS_CERT_DELETE_GUID = { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 					       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } };
@@ -53,6 +54,11 @@ struct signature_type_info {
 
 extern const struct signature_type_info signature_type_list[];
 
+/*
+ * check it whether given variable is trustedcadb
+ */
+bool is_trustedcadb_variable(const char *variable_name);
+
 void print_timestamp(timestamp_t t);
 
 void read_timestamp(const uint8_t *esl_data);

backends/guest/include/common/validate.h

@@ -76,9 +76,10 @@ int validate_esl(const uint8_t *esl_data, size_t esl_data_len);
  *
  * @param certBuf pointer to certificate data
  * @param buflen length of certBuf
+ * @param is_CA, CA certificate flag
  * @return CERT_FAIL if certificate had incorrect data
  * @return SUCCESS if certificate is valid
  */
-int validate_cert(const uint8_t *cert_data, size_t cert_data_len);
+int validate_cert(const uint8_t *cert_data, size_t cert_data_len, bool is_CA);
 
 #endif