Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Always include authority key identifier and subject key identifier #382

Merged
merged 1 commit into from
Jan 24, 2025
Merged

Always include authority key identifier and subject key identifier #382

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 2 additions & 5 deletions dpe/src/x509.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -511,7 +511,7 @@ impl CertWriter<'_> {
tagged: bool,
is_x509: bool,
) -> Result<usize, DpeErrorCode> {
if !measurements.is_ca || !is_x509 {
if !is_x509 {
return Ok(0);
}
let aki_size = Self::get_key_identifier_size(
Expand Down Expand Up @@ -1597,7 +1597,7 @@ impl CertWriter<'_> {
measurements: &MeasurementData,
is_x509: bool,
) -> Result<usize, DpeErrorCode> {
if !measurements.is_ca || !is_x509 {
if !is_x509 {
return Ok(0);
}

Expand Down Expand Up @@ -2975,9 +2975,6 @@ pub(crate) mod tests {
}

match cert.get_extension_unique(&oid!(2.5.29 .35)) {
Ok(Some(_)) => {
panic!("authority key identifier extensions found for non CA certificate")
}
Err(_) => panic!("multiple authority key identifier extensions found"),
_ => (),
}
Expand Down
16 changes: 5 additions & 11 deletions verification/testing/certifyKey.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -421,15 +421,11 @@ func checkCertifyKeyAuthorityKeyIdentifierExtension(t *testing.T, extensions []p
if err != nil {
t.Errorf("[ERROR]: Failed to retrieve AuthorityKeyIdentifier extension: %v", err)
}
if ca {
if aki.KeyIdentifier == nil {
t.Fatal("[ERROR]: The certificate is a CA but the AuthorityKeyIdentifier extension is not present.")
}
if !reflect.DeepEqual(aki.KeyIdentifier, IssuerSki) {
t.Errorf("[ERROR]: The value of the authority key identifier %v is not equal to the issuer's subject key identifier %v", aki, IssuerSki)
}
} else if !ca && aki.KeyIdentifier != nil {
t.Errorf("[ERROR]: The certificate is not a CA but the AuthorityKeyIdentifier extension is present.")
if aki.KeyIdentifier == nil {
t.Fatal("[ERROR]: The certificate is a CA but the AuthorityKeyIdentifier extension is not present.")
}
if !reflect.DeepEqual(aki.KeyIdentifier, IssuerSki) {
t.Errorf("[ERROR]: The value of the authority key identifier %v is not equal to the issuer's subject key identifier %v", aki, IssuerSki)
}
}

Expand Down Expand Up @@ -490,8 +486,6 @@ func checkCertificateStructure(t *testing.T, certBytes []byte) *x509.Certificate
// We will need to truncate the serial numbers for those certs and
// then enable this lint.
"e_subject_dn_serial_number_max_length",
// CertifKey does not support CA certificates.
"e_ext_authority_key_identifier_no_key_identifier",
// subject key identifiers are optional in leaf certificates.
"w_ext_subject_key_identifier_missing_sub_cert",
},
Expand Down
Loading