From ce66fbcd399270e25d74a0654c5f2c573a9d14c1 Mon Sep 17 00:00:00 2001 From: Nick Quarton <139178705+nquarton@users.noreply.github.com> Date: Wed, 6 Nov 2024 09:12:38 -0800 Subject: [PATCH] Cert tweaks to names and TCB info (#1725) --- FROZEN_IMAGES.sha384sum | 4 +- .../fmc_integration_tests/test_rtalias.rs | 2 +- libcaliptra/examples/generic/idev_csr_array.h | 52 ++++++----- rom/dev/build.rs | 11 ++- rom/dev/src/flow/cold_reset/fmc_alias.rs | 2 +- .../test_fmcalias_derivation.rs | 2 +- runtime/src/dpe_platform.rs | 2 +- test/src/x509.rs | 5 +- .../caliptra_integration_tests/smoke_test.rs | 26 +++--- .../fmc_alias_cert_redacted.der | Bin 907 -> 874 bytes .../fmc_alias_cert_redacted.txt | 6 +- .../smoke_testdata/idevid_csr.der | Bin 443 -> 444 bytes .../smoke_testdata/idevid_csr.txt | 14 +-- .../smoke_testdata/ldevid_cert.der | Bin 675 -> 674 bytes .../smoke_testdata/ldevid_cert.txt | 16 ++-- .../smoke_testdata/rt_alias_cert_redacted.der | Bin 775 -> 761 bytes .../smoke_testdata/rt_alias_cert_redacted.txt | 6 +- x509/build/build.rs | 8 +- x509/build/cert.rs | 4 +- x509/build/fmc_alias_cert_tbs.rs | 87 +++++++++--------- x509/build/init_dev_id_csr_tbs.rs | 2 +- x509/build/local_dev_id_cert_tbs.rs | 4 +- x509/build/rt_alias_cert_tbs.rs | 25 +++-- x509/build/x509.rs | 24 +++-- 24 files changed, 161 insertions(+), 141 deletions(-) diff --git a/FROZEN_IMAGES.sha384sum b/FROZEN_IMAGES.sha384sum index 6b4d5d9475..97f1762a43 100644 --- a/FROZEN_IMAGES.sha384sum +++ b/FROZEN_IMAGES.sha384sum @@ -1,3 +1,3 @@ # WARNING: Do not update this file without the approval of the Caliptra TAC -91b951fbe655919a1e123b86add18ab604d049f6d2b2bbefac4cd554a4411eaf22247973c47490e243b9a5b1d197feb3 caliptra-rom-no-log.bin -105cda4bbc0f2f0096d058eda9090670da0d90c8e3066cb44027843e9a490db61933b524ca78fe78351a7fd26a124c03 caliptra-rom-with-log.bin +9537318fd30c3e3d341cffab5721ba3242810be85e79ed9dc644c47c062555ef7519fb48857745e7ccb9917ac1fe120a caliptra-rom-no-log.bin +e4e74d2d1c4794b950a548072fc8dc4c9ab64aba7a01ae400e9fe66c64b43f715e72dc430e7318496009ebedd0412bc6 caliptra-rom-with-log.bin diff --git a/fmc/tests/fmc_integration_tests/test_rtalias.rs b/fmc/tests/fmc_integration_tests/test_rtalias.rs index a36abc35ab..9b36fa00ad 100644 --- a/fmc/tests/fmc_integration_tests/test_rtalias.rs +++ b/fmc/tests/fmc_integration_tests/test_rtalias.rs @@ -91,7 +91,7 @@ fn test_fht_info() { let data = hw.mailbox_execute(TEST_CMD_READ_FHT, &[]).unwrap().unwrap(); let fht = FirmwareHandoffTable::read_from_prefix(data.as_bytes()).unwrap(); assert_eq!(fht.ldevid_tbs_size, 552); - assert_eq!(fht.fmcalias_tbs_size, 786); + assert_eq!(fht.fmcalias_tbs_size, 753); assert_eq!(fht.ldevid_tbs_addr, 0x50003C00); assert_eq!(fht.fmcalias_tbs_addr, 0x50004000); assert_eq!(fht.pcr_log_addr, 0x50004800); diff --git a/libcaliptra/examples/generic/idev_csr_array.h b/libcaliptra/examples/generic/idev_csr_array.h index 8e5cc3e03f..1aa34bc31e 100644 --- a/libcaliptra/examples/generic/idev_csr_array.h +++ b/libcaliptra/examples/generic/idev_csr_array.h @@ -2,28 +2,34 @@ // Generated from test/tests/caliptra_integration_tests/smoke_testdata/idev_csr.der #include -#define IDEV_CSR_LEN 443 +#define IDEV_CSR_LEN 444 uint8_t idev_csr_bytes[IDEV_CSR_LEN] = { - 48, 130, 1, 183, 48, 130, 1, 62, 2, 1, 0, 48, 105, 49, 28, 48, 26, 6, - 3, 85, 4, 3, 12, 19, 67, 97, 108, 105, 112, 116, 114, 97, 32, 49, 46, - 48, 32, 73, 68, 101, 118, 73, 68, 49, 73, 48, 71, 6, 3, 85, 4, 5, 19, - 64, 56, 69, 51, 67, 49, 65, 48, 53, 56, 70, 55, 48, 52, 65, 49, 49, 56, - 50, 49, 70, 55, 66, 52, 56, 68, 51, 52, 48, 65, 69, 70, 57, 57, 68, 68, - 65, 66, 65, 68, 67, 49, 48, 57, 48, 68, 55, 52, 68, 48, 53, 55, 70, 69, - 67, 67, 70, 55, 51, 50, 57, 52, 69, 68, 54, 48, 118, 48, 16, 6, 7, 42, 134, - 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 215, 180, 133, 242, - 159, 17, 92, 28, 179, 4, 107, 132, 11, 69, 137, 181, 120, 98, 245, 235, 249, - 157, 132, 111, 190, 63, 210, 209, 67, 150, 245, 246, 154, 55, 154, 89, 172, - 197, 162, 174, 200, 54, 158, 203, 101, 144, 68, 55, 180, 188, 124, 217, 165, - 168, 64, 60, 91, 177, 145, 82, 35, 170, 134, 190, 242, 193, 188, 146, 20, 95, 252, - 39, 193, 37, 198, 219, 250, 212, 156, 145, 232, 72, 197, 68, 172, 127, 14, 149, 214, - 205, 140, 172, 251, 146, 63, 166, 160, 86, 48, 84, 6, 9, 42, 134, 72, 134, 247, 13, - 1, 9, 14, 49, 71, 48, 69, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2 - , 1, 5, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 2, 4, 48, 31, 6, 6, 103, 129, 5, 5, - 4, 4, 4, 21, 48, 19, 4, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 48, 10, 6, 8, 42, - 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 124, 116, 253, 40, 206, 15, 249, 233, 218, 239 - ,144, 132, 165, 175, 192, 66, 209, 226, 8, 132, 103, 214, 106, 232, 220, 70, 204, 2, 29, 128, 218, 55, 80, - 145, 238, 117, 9, 237, 21, 85, 15, 49, 21, 35, 201, 187, 230, 225, 2, 48, 36, 253, 27, 91, 71, 204, 20, 74, 102, - 165, 187, 231, 4, 116, 240, 33, 54, 55, 244, 158, 93, 205, 161, 66, 191, 246, 130, 92, 161, 244, 81, 67, 226, 151, - 252, 149, 206, 86, 177, 103, 225, 191, 225, 38, 58, 206, 161, 243, + 0x30, 0x82, 0x01, 0xb8, 0x30, 0x82, 0x01, 0x3e, 0x02, 0x01, 0x00, 0x30, 0x69, 0x31, 0x1c, 0x30, + 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x43, 0x61, 0x6c, 0x69, 0x70, 0x74, 0x72, 0x61, + 0x20, 0x31, 0x2e, 0x78, 0x20, 0x49, 0x44, 0x65, 0x76, 0x49, 0x44, 0x31, 0x49, 0x30, 0x47, 0x06, + 0x03, 0x55, 0x04, 0x05, 0x13, 0x40, 0x38, 0x45, 0x33, 0x43, 0x31, 0x41, 0x30, 0x35, 0x38, 0x46, + 0x37, 0x30, 0x34, 0x41, 0x31, 0x31, 0x38, 0x32, 0x31, 0x46, 0x37, 0x42, 0x34, 0x38, 0x44, 0x33, + 0x34, 0x30, 0x41, 0x45, 0x46, 0x39, 0x39, 0x44, 0x44, 0x41, 0x42, 0x41, 0x44, 0x43, 0x31, 0x30, + 0x39, 0x30, 0x44, 0x37, 0x34, 0x44, 0x30, 0x35, 0x37, 0x46, 0x45, 0x43, 0x43, 0x46, 0x37, 0x33, + 0x32, 0x39, 0x34, 0x45, 0x44, 0x36, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 0xd7, 0xb4, + 0x85, 0xf2, 0x9f, 0x11, 0x5c, 0x1c, 0xb3, 0x04, 0x6b, 0x84, 0x0b, 0x45, 0x89, 0xb5, 0x78, 0x62, + 0xf5, 0xeb, 0xf9, 0x9d, 0x84, 0x6f, 0xbe, 0x3f, 0xd2, 0xd1, 0x43, 0x96, 0xf5, 0xf6, 0x9a, 0x37, + 0x9a, 0x59, 0xac, 0xc5, 0xa2, 0xae, 0xc8, 0x36, 0x9e, 0xcb, 0x65, 0x90, 0x44, 0x37, 0xb4, 0xbc, + 0x7c, 0xd9, 0xa5, 0xa8, 0x40, 0x3c, 0x5b, 0xb1, 0x91, 0x52, 0x23, 0xaa, 0x86, 0xbe, 0xf2, 0xc1, + 0xbc, 0x92, 0x14, 0x5f, 0xfc, 0x27, 0xc1, 0x25, 0xc6, 0xdb, 0xfa, 0xd4, 0x9c, 0x91, 0xe8, 0x48, + 0xc5, 0x44, 0xac, 0x7f, 0x0e, 0x95, 0xd6, 0xcd, 0x8c, 0xac, 0xfb, 0x92, 0x3f, 0xa6, 0xa0, 0x56, + 0x30, 0x54, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x0e, 0x31, 0x47, 0x30, + 0x45, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, + 0x01, 0xff, 0x02, 0x01, 0x05, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, + 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x1f, 0x06, 0x06, 0x67, 0x81, 0x05, 0x05, 0x04, 0x04, 0x04, + 0x15, 0x30, 0x13, 0x04, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, + 0x03, 0x03, 0x03, 0x68, 0x00, 0x30, 0x65, 0x02, 0x31, 0x00, 0xed, 0x8e, 0x44, 0x4e, 0x3c, 0x7f, + 0x6f, 0x96, 0x4a, 0x5d, 0xcb, 0xe1, 0xea, 0x08, 0xa0, 0x57, 0xf5, 0xd7, 0xb5, 0x6d, 0xce, 0x72, + 0x9e, 0xb8, 0x8c, 0x88, 0x38, 0xf6, 0x50, 0x35, 0x90, 0xbd, 0x6b, 0x59, 0xdb, 0x29, 0x52, 0x13, + 0x2e, 0xfc, 0xa8, 0xb6, 0x8d, 0x8a, 0x33, 0xd3, 0x2a, 0xcf, 0x02, 0x30, 0x6d, 0x40, 0x6a, 0x1f, + 0x7c, 0x9e, 0x74, 0x8f, 0x28, 0xdc, 0x14, 0x73, 0xe0, 0x96, 0x92, 0xd8, 0x74, 0xfa, 0x30, 0x58, + 0x04, 0x54, 0x84, 0x77, 0xe9, 0x52, 0x3a, 0x0d, 0x63, 0xfa, 0xf3, 0x1a, 0x68, 0xc3, 0x88, 0x07, + 0x50, 0xa7, 0x5d, 0x6f, 0xf7, 0xa9, 0xda, 0x98, 0xf7, 0x8c, 0x48, 0x2a, }; diff --git a/rom/dev/build.rs b/rom/dev/build.rs index 3c51a3601e..30bc1d097b 100644 --- a/rom/dev/build.rs +++ b/rom/dev/build.rs @@ -86,10 +86,13 @@ fn main() { use x509_parser::signature_value::EcdsaSigValue; let ws_dir = workspace_dir(); - let ldev_file = std::fs::read( - ws_dir.join("test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.der"), - ) - .unwrap(); + let ldev_file_path = + ws_dir.join("test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.der"); + println!( + "cargo:rerun-if-changed={}", + ldev_file_path.to_str().unwrap() + ); + let ldev_file = std::fs::read(ldev_file_path).unwrap(); let mut parser = X509CertificateParser::new(); let (_, cert) = parser.parse(&ldev_file).unwrap(); diff --git a/rom/dev/src/flow/cold_reset/fmc_alias.rs b/rom/dev/src/flow/cold_reset/fmc_alias.rs index 6f0c59604d..f6e8d50ccf 100644 --- a/rom/dev/src/flow/cold_reset/fmc_alias.rs +++ b/rom/dev/src/flow/cold_reset/fmc_alias.rs @@ -252,6 +252,6 @@ impl FmcAliasLayer { flags |= dice::FLAG_BIT_DEBUG; } - flags.to_be_bytes() + flags.reverse_bits().to_be_bytes() } } diff --git a/rom/dev/tests/rom_integration_tests/test_fmcalias_derivation.rs b/rom/dev/tests/rom_integration_tests/test_fmcalias_derivation.rs index b697eaee48..acee1877e3 100644 --- a/rom/dev/tests/rom_integration_tests/test_fmcalias_derivation.rs +++ b/rom/dev/tests/rom_integration_tests/test_fmcalias_derivation.rs @@ -742,7 +742,7 @@ fn test_fht_info() { let data = hw.mailbox_execute(0x1000_0003, &[]).unwrap().unwrap(); let fht = FirmwareHandoffTable::read_from_prefix(data.as_bytes()).unwrap(); assert_eq!(fht.ldevid_tbs_size, 552); - assert_eq!(fht.fmcalias_tbs_size, 786); + assert_eq!(fht.fmcalias_tbs_size, 753); assert_eq!(fht.ldevid_tbs_addr, LDEVID_TBS_ORG); assert_eq!(fht.fmcalias_tbs_addr, FMCALIAS_TBS_ORG); assert_eq!(fht.pcr_log_addr, PCR_LOG_ORG); diff --git a/runtime/src/dpe_platform.rs b/runtime/src/dpe_platform.rs index ab53d6122f..daeee3ad2d 100644 --- a/runtime/src/dpe_platform.rs +++ b/runtime/src/dpe_platform.rs @@ -108,7 +108,7 @@ impl Platform for DpePlatform<'_> { &mut self, out: &mut [u8; MAX_ISSUER_NAME_SIZE], ) -> Result { - const CALIPTRA_CN: &[u8] = b"Caliptra 1.0 Rt Alias"; + const CALIPTRA_CN: &[u8] = b"Caliptra 1.x Rt Alias"; let mut issuer_writer = CertWriter::new(out, true); // Caliptra RDN SerialNumber field is always a Sha256 hash diff --git a/test/src/x509.rs b/test/src/x509.rs index 6c5954223c..09ac3374f1 100644 --- a/test/src/x509.rs +++ b/test/src/x509.rs @@ -68,7 +68,10 @@ impl DiceTcbInfo { }) .transpose()? .unwrap_or_default(), - flags: d.read_optional_implicit_element(7)?, + flags: d + .read_optional_implicit_element::(7)? + .and_then(|b| b.as_bytes().try_into().ok()) + .map(u32::from_be_bytes), vendor_info: d .read_optional_implicit_element::<&[u8]>(8)? .map(|s| s.to_vec()), diff --git a/test/tests/caliptra_integration_tests/smoke_test.rs b/test/tests/caliptra_integration_tests/smoke_test.rs index 3760416549..75841e22d2 100644 --- a/test/tests/caliptra_integration_tests/smoke_test.rs +++ b/test/tests/caliptra_integration_tests/smoke_test.rs @@ -66,8 +66,8 @@ fn retrieve_csr_test() { let csr_txt = String::from_utf8(csr.to_text().unwrap()).unwrap(); // To update the CSR testdata: - // std::fs::write("tests/smoke_testdata/idevid_csr.txt", &csr_txt).unwrap(); - // std::fs::write("tests/smoke_testdata/idevid_csr.der", &csr_der).unwrap(); + // std::fs::write("tests/caliptra_integration_tests/smoke_testdata/idevid_csr.txt", &csr_txt).unwrap(); + // std::fs::write("tests/caliptra_integration_tests/smoke_testdata/idevid_csr.der", &csr_der).unwrap(); println!("csr: {}", csr_txt); @@ -214,8 +214,8 @@ fn smoke_test() { let ldev_cert_txt = String::from_utf8(ldev_cert.to_text().unwrap()).unwrap(); // To update the ldev cert testdata: - // std::fs::write("tests/smoke_testdata/ldevid_cert.txt", &ldev_cert_txt).unwrap(); - // std::fs::write("tests/smoke_testdata/ldevid_cert.der", ldev_cert_der).unwrap(); + // std::fs::write("tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.txt", &ldev_cert_txt).unwrap(); + // std::fs::write("tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.der", ldev_cert_der).unwrap(); assert_eq!( ldev_cert_txt.as_str(), @@ -277,8 +277,8 @@ fn smoke_test() { dice_tcb_info, [ DiceTcbInfo { - vendor: Some("Caliptra".into()), - model: Some("Device".into()), + vendor: None, + model: None, // This is from the SVN in the fuses (7 bits set) svn: Some(0x107), fwids: vec![DiceFwid { @@ -286,13 +286,13 @@ fn smoke_test() { digest: device_info_hash.to_vec(), },], - flags: Some(0x80000000), + flags: Some(0x00000001), ty: Some(b"DEVICE_INFO".to_vec()), ..Default::default() }, DiceTcbInfo { - vendor: Some("Caliptra".into()), - model: Some("FMC".into()), + vendor: None, + model: None, // This is from the SVN in the image (9) svn: Some(0x109), fwids: vec![DiceFwid { @@ -458,8 +458,8 @@ fn smoke_test() { assert_eq!( rt_dice_tcb_info, Some(DiceTcbInfo { - vendor: Some("Caliptra".into()), - model: Some("RT".into()), + vendor: None, + model: None, svn: Some(0x100), fwids: vec![DiceFwid { // RT @@ -608,8 +608,8 @@ fn smoke_test() { assert_eq!( rt_dice_tcb_info2, Some(DiceTcbInfo { - vendor: Some("Caliptra".into()), - model: Some("RT".into()), + vendor: None, + model: None, svn: Some(0x100), fwids: vec![DiceFwid { // FMC diff --git a/test/tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.der b/test/tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.der index 84e7805d2c139eb500dbefa7e5a5c3988a60cb38..60649c75c60df8f4eff409ccc343618d05c1ff34 100644 GIT binary patch delta 67 zcmeBXf5paU(8Qc((8Tn10W%XL6Vv1eOkxvNlo=}~dh`K_>lavk4VoA|C$C|2=Q+s6 Xmfpz9%EHRhxNR~c)3(Xin6?4{yRa2I delta 70 zcmaFG*3Hgu(8Syh#C!{wnHZUvL?(U|nW(J7XfV;E4@g|Uz?x^!#F#aC4Wm2HBR015 YMpjl9R+h%=lNp(|Okz}?yp?Gy0Lo4kB>(^b diff --git a/test/tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.txt b/test/tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.txt index ef18969566..a63df7f6df 100644 --- a/test/tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.txt +++ b/test/tests/caliptra_integration_tests/smoke_testdata/fmc_alias_cert_redacted.txt @@ -4,11 +4,11 @@ Certificate: Serial Number: 44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44 Signature Algorithm: ecdsa-with-SHA384 - Issuer: CN=Caliptra 1.0 LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889 + Issuer: CN=Caliptra 1.x LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889 Validity Not Before: Jan 1 00:00:00 2023 GMT Not After : Dec 31 23:59:59 9999 GMT - Subject: CN=Caliptra 1.0 FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD + Subject: CN=Caliptra 1.x FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) @@ -30,7 +30,7 @@ Certificate: 2.23.133.5.4.4: 0.................... 2.23.133.5.4.5: - DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD + DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD X509v3 Subject Key Identifier: 44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44 X509v3 Authority Key Identifier: diff --git a/test/tests/caliptra_integration_tests/smoke_testdata/idevid_csr.der b/test/tests/caliptra_integration_tests/smoke_testdata/idevid_csr.der index 78cb24f88e066bc4af0f95287699541bed13cd44..f5af843189b59f1401af3b3e48d4b9526aa93e50 100644 GIT binary patch delta 151 zcmV;I0BHZa1H1zyFoFTNFoFR-0s#OpX)zoy8U_PZ1Op5cLt$)baCCBEATcg@u_P}6 zX=ng2Wdbn(?T$oFJb!PNN?pt0>Ik4$_1Cp+&T^i(jEFe)P&JUfYgyYVQWGxxsJ4xY zGt(;10x)erY9D-_bdM<96m#H~lGt?mFjxdsgm>vuIt^p`^BQQwhzC%oU2pfP+L-r@ FNGiR|J&ynY delta 150 zcmV;H0BQfc1G@txFoFTMFoFR-0s#OpX)zoy8U_PZ1Op5cLt$)baCCBEATcg5u_P}6 zXlDR0WCAdJbp0sK5BcfZ?~sJ0ufRgl;s}Ii)@tb7M$7^ofZ8`uk?wT~?G;rIF%=`p zyXN5nFeLpOTSv?kN@k_I=LB@{AvQPko?XqMLcjKcT%q()L*keGmCjbNXW_r$COXcc E^8rmj$N&HU diff --git a/test/tests/caliptra_integration_tests/smoke_testdata/idevid_csr.txt b/test/tests/caliptra_integration_tests/smoke_testdata/idevid_csr.txt index 340d92ab9f..7831436342 100644 --- a/test/tests/caliptra_integration_tests/smoke_testdata/idevid_csr.txt +++ b/test/tests/caliptra_integration_tests/smoke_testdata/idevid_csr.txt @@ -1,7 +1,7 @@ Certificate Request: Data: Version: 1 (0x0) - Subject: CN=Caliptra 1.0 IDevID/serialNumber=8E3C1A058F704A11821F7B48D340AEF99DDABADC1090D74D057FECCF73294ED6 + Subject: CN=Caliptra 1.x IDevID/serialNumber=8E3C1A058F704A11821F7B48D340AEF99DDABADC1090D74D057FECCF73294ED6 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) @@ -25,9 +25,9 @@ Certificate Request: 0.................... Signature Algorithm: ecdsa-with-SHA384 Signature Value: - 30:64:02:30:7c:74:fd:28:ce:0f:f9:e9:da:ef:90:84:a5:af: - c0:42:d1:e2:08:84:67:d6:6a:e8:dc:46:cc:02:1d:80:da:37: - 50:91:ee:75:09:ed:15:55:0f:31:15:23:c9:bb:e6:e1:02:30: - 24:fd:1b:5b:47:cc:14:4a:66:a5:bb:e7:04:74:f0:21:36:37: - f4:9e:5d:cd:a1:42:bf:f6:82:5c:a1:f4:51:43:e2:97:fc:95: - ce:56:b1:67:e1:bf:e1:26:3a:ce:a1:f3 + 30:65:02:31:00:ed:8e:44:4e:3c:7f:6f:96:4a:5d:cb:e1:ea: + 08:a0:57:f5:d7:b5:6d:ce:72:9e:b8:8c:88:38:f6:50:35:90: + bd:6b:59:db:29:52:13:2e:fc:a8:b6:8d:8a:33:d3:2a:cf:02: + 30:6d:40:6a:1f:7c:9e:74:8f:28:dc:14:73:e0:96:92:d8:74: + fa:30:58:04:54:84:77:e9:52:3a:0d:63:fa:f3:1a:68:c3:88: + 07:50:a7:5d:6f:f7:a9:da:98:f7:8c:48:2a diff --git a/test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.der b/test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.der index d7bee137f127d8a6c7d1ca24a43c05683f913af2..cafa0278230ffdb62b8b7cbc52b6981152b08bc6 100644 GIT binary patch delta 129 zcmV-{0Dk|Y1)>E6FoFV}kpx2lc#%ks0eG?3VgYGr05D|&FefA<4|fW*sg>NJmf+1@ z`6&qNfPHjT1$rX6VhEO^dI%vsipC#2ao~+egR7im8Uir@t%{iH=Q9(#0=5$RB=4^D jTXR>JH-c8E>BzQ+*)4rTyuQtX(+`DO6;_U-2>I;J;%PXG delta 130 zcmV-|0Db?W1)~K7FoFV~kpx2lFp)@(0Wh)GVgYJt05E0(F#wwm8IghZkf%d5VAvgL z#HC|WqsWubOcB1}p^ZnTwPScfKZ=F&G_ ksR3#(qZPkpt19J!eDCqNS-pN>&lSfiWa`f=dz=44(|=+*t^fc4 diff --git a/test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.txt b/test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.txt index 1c301b51c3..30930111d4 100644 --- a/test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.txt +++ b/test/tests/caliptra_integration_tests/smoke_testdata/ldevid_cert.txt @@ -4,11 +4,11 @@ Certificate: Serial Number: 25:ee:ef:9a:4c:61:d4:b9:e3:d9:4b:ea:46:f9:a1:2a:c6:88:7c:e2 Signature Algorithm: ecdsa-with-SHA384 - Issuer: CN=Caliptra 1.0 IDevID/serialNumber=8E3C1A058F704A11821F7B48D340AEF99DDABADC1090D74D057FECCF73294ED6 + Issuer: CN=Caliptra 1.x IDevID/serialNumber=8E3C1A058F704A11821F7B48D340AEF99DDABADC1090D74D057FECCF73294ED6 Validity Not Before: Jan 1 00:00:00 2023 GMT Not After : Dec 31 23:59:59 9999 GMT - Subject: CN=Caliptra 1.0 LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889 + Subject: CN=Caliptra 1.x LDevID/serialNumber=21EEEF9A4C61D4B9E3D94BEA46F9A12AC6887CE2188559F40FF95777E8014889 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) @@ -35,9 +35,9 @@ Certificate: 42:4F:3A:C7:45:DD:BD:50:15:05:7F:5B:F8:3E:9C:D6:48:10:B0:41 Signature Algorithm: ecdsa-with-SHA384 Signature Value: - 30:66:02:31:00:9b:0e:19:91:81:f6:90:a7:43:34:60:d8:1d: - 69:c4:a5:63:52:a3:c8:93:cf:4c:11:be:e1:a1:8d:47:a6:b5: - 63:78:42:3f:8a:85:f2:34:b4:ab:5a:18:01:f6:e7:ff:92:02: - 31:00:e1:21:cf:21:fe:44:09:81:95:01:fd:29:ad:f5:29:a9: - 01:6a:2e:a3:15:bf:65:ab:2a:e5:82:7c:ef:f1:b8:59:bd:7e: - 60:cf:15:c7:2a:64:ea:cf:2b:7b:9b:ff:42:d3 + 30:65:02:30:27:24:23:0f:77:0a:b4:a9:95:dc:a1:96:e0:cd: + 5d:f9:29:08:eb:80:7d:74:55:05:7a:22:b9:62:08:96:a2:7a: + 08:21:3d:8a:c6:1f:3c:71:e0:8d:48:83:ab:9c:64:1a:02:31: + 00:ad:8a:98:ea:e7:33:13:bb:02:b6:12:fa:24:ef:ae:f4:5b: + 73:57:97:37:82:56:a8:e9:c8:b6:87:d9:2d:7d:43:bc:be:cd: + 82:d3:0f:85:5a:15:56:8e:a2:08:f9:ec:ce diff --git a/test/tests/caliptra_integration_tests/smoke_testdata/rt_alias_cert_redacted.der b/test/tests/caliptra_integration_tests/smoke_testdata/rt_alias_cert_redacted.der index ceedb22ec9ad2292a1b51e6f12191ae71f1c45cc..597f9bc88654293c56422328e11fb53b28461cda 100644 GIT binary patch delta 72 zcmZo?`^n00(8Tl=h-(%wGchtTiA+osnW(J7TA|?P>pbyp(8PJxj1?1aonyIe(0F6= c8b&wnKsL7YMpjl9Mi%$Uj7;v6gP67g06%&bZ~y=R delta 75 zcmV-R0JQ)41&0O?FoFXEFoFV#paTK{0s<6~VHA-gBn2=aMomMJ-BOXBI{`3}+Rg;& hFoEWitN}&~Uj_zefdvHw0R&Z(0Rlsja1xV50<||)7B&C? diff --git a/test/tests/caliptra_integration_tests/smoke_testdata/rt_alias_cert_redacted.txt b/test/tests/caliptra_integration_tests/smoke_testdata/rt_alias_cert_redacted.txt index 439f9c6c66..fafd5bfd7a 100644 --- a/test/tests/caliptra_integration_tests/smoke_testdata/rt_alias_cert_redacted.txt +++ b/test/tests/caliptra_integration_tests/smoke_testdata/rt_alias_cert_redacted.txt @@ -4,11 +4,11 @@ Certificate: Serial Number: 44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44 Signature Algorithm: ecdsa-with-SHA384 - Issuer: CN=Caliptra 1.0 FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD + Issuer: CN=Caliptra 1.x FMC Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Validity Not Before: Jan 1 00:00:00 2023 GMT Not After : Dec 31 23:59:59 9999 GMT - Subject: CN=Caliptra 1.0 Rt Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD + Subject: CN=Caliptra 1.x Rt Alias/serialNumber=DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) @@ -30,7 +30,7 @@ Certificate: 2.23.133.5.4.4: 0.................... 2.23.133.5.4.1: - DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD + DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD X509v3 Subject Key Identifier: 44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44:44 X509v3 Authority Key Identifier: diff --git a/x509/build/build.rs b/x509/build/build.rs index aa728c6eaa..dc116c3505 100644 --- a/x509/build/build.rs +++ b/x509/build/build.rs @@ -54,7 +54,7 @@ fn gen_init_devid_csr(out_dir: &str) { .add_basic_constraints_ext(true, 5) .add_key_usage_ext(usage) .add_ueid_ext(&[0xFF; 17]); - let template = bldr.tbs_template("Caliptra 1.0 IDevID"); + let template = bldr.tbs_template("Caliptra 1.x IDevID"); CodeGen::gen_code("InitDevIdCsrTbs", template, out_dir); } @@ -67,7 +67,7 @@ fn gen_local_devid_cert(out_dir: &str) { .add_basic_constraints_ext(true, 4) .add_key_usage_ext(usage) .add_ueid_ext(&[0xFF; 17]); - let template = bldr.tbs_template("Caliptra 1.0 LDevID", "Caliptra 1.0 IDevID"); + let template = bldr.tbs_template("Caliptra 1.x LDevID", "Caliptra 1.x IDevID"); CodeGen::gen_code("LocalDevIdCertTbs", template, out_dir); } @@ -98,7 +98,7 @@ fn gen_fmc_alias_cert(out_dir: &str) { }, }], ); - let template = bldr.tbs_template("Caliptra 1.0 FMC Alias", "Caliptra 1.0 LDevID"); + let template = bldr.tbs_template("Caliptra 1.x FMC Alias", "Caliptra 1.x LDevID"); CodeGen::gen_code("FmcAliasCertTbs", template, out_dir); } @@ -122,6 +122,6 @@ fn gen_rt_alias_cert(out_dir: &str) { digest: &[0xCD; 48], }, }]); - let template = bldr.tbs_template("Caliptra 1.0 Rt Alias", "Caliptra 1.0 FMC Alias"); + let template = bldr.tbs_template("Caliptra 1.x Rt Alias", "Caliptra 1.x FMC Alias"); CodeGen::gen_code("RtAliasCertTbs", template, out_dir); } diff --git a/x509/build/cert.rs b/x509/build/cert.rs index 966a6412bd..3ad2afd090 100644 --- a/x509/build/cert.rs +++ b/x509/build/cert.rs @@ -90,9 +90,11 @@ impl CertTemplateBuilder { device_fwids: &[FwidParam], fmc_fwids: &[FwidParam], ) -> Self { + // This method of finding the offsets is fragile. Especially for the 1 byte values. + // These may need to be updated to stay unique when the cert template is updated. let flags: u32 = 0xC0C1C2C3; let svn: u8 = 0xC4; - let svn_fuses: u8 = 0xC5; + let svn_fuses: u8 = 0xC6; self.exts .push(x509::make_fmc_dice_tcb_info_ext( diff --git a/x509/build/fmc_alias_cert_tbs.rs b/x509/build/fmc_alias_cert_tbs.rs index dfda357ba1..f8724c2441 100644 --- a/x509/build/fmc_alias_cert_tbs.rs +++ b/x509/build/fmc_alias_cert_tbs.rs @@ -46,17 +46,17 @@ impl FmcAliasCertTbs { const PUBLIC_KEY_OFFSET: usize = 319usize; const SUBJECT_SN_OFFSET: usize = 232usize; const ISSUER_SN_OFFSET: usize = 86usize; - const TCB_INFO_DEVICE_INFO_HASH_OFFSET: usize = 551usize; - const TCB_INFO_FMC_TCI_OFFSET: usize = 664usize; + const TCB_INFO_DEVICE_INFO_HASH_OFFSET: usize = 533usize; + const TCB_INFO_FMC_TCI_OFFSET: usize = 631usize; const SERIAL_NUMBER_OFFSET: usize = 11usize; - const SUBJECT_KEY_ID_OFFSET: usize = 733usize; - const AUTHORITY_KEY_ID_OFFSET: usize = 766usize; + const SUBJECT_KEY_ID_OFFSET: usize = 700usize; + const AUTHORITY_KEY_ID_OFFSET: usize = 733usize; const UEID_OFFSET: usize = 476usize; const NOT_BEFORE_OFFSET: usize = 154usize; const NOT_AFTER_OFFSET: usize = 171usize; - const TCB_INFO_FLAGS_OFFSET: usize = 602usize; - const TCB_INFO_FMC_SVN_OFFSET: usize = 646usize; - const TCB_INFO_FMC_SVN_FUSES_OFFSET: usize = 533usize; + const TCB_INFO_FLAGS_OFFSET: usize = 584usize; + const TCB_INFO_FMC_SVN_OFFSET: usize = 613usize; + const TCB_INFO_FMC_SVN_FUSES_OFFSET: usize = 515usize; const PUBLIC_KEY_LEN: usize = 97usize; const SUBJECT_SN_LEN: usize = 64usize; const ISSUER_SN_LEN: usize = 64usize; @@ -71,61 +71,58 @@ impl FmcAliasCertTbs { const TCB_INFO_FLAGS_LEN: usize = 4usize; const TCB_INFO_FMC_SVN_LEN: usize = 1usize; const TCB_INFO_FMC_SVN_FUSES_LEN: usize = 1usize; - pub const TBS_TEMPLATE_LEN: usize = 786usize; + pub const TBS_TEMPLATE_LEN: usize = 753usize; const TBS_TEMPLATE: [u8; Self::TBS_TEMPLATE_LEN] = [ - 48u8, 130u8, 3u8, 14u8, 160u8, 3u8, 2u8, 1u8, 2u8, 2u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 48u8, 130u8, 2u8, 237u8, 160u8, 3u8, 2u8, 1u8, 2u8, 2u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 48u8, 10u8, 6u8, 8u8, 42u8, 134u8, 72u8, 206u8, 61u8, 4u8, 3u8, 3u8, 48u8, 105u8, 49u8, - 28u8, 48u8, 26u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 19u8, 67u8, 97u8, 108u8, 105u8, 112u8, - 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, 48u8, 32u8, 76u8, 68u8, 101u8, 118u8, 73u8, 68u8, - 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 48u8, 10u8, 6u8, 8u8, 42u8, 134u8, 72u8, 206u8, 61u8, 4u8, 3u8, 3u8, 48u8, 105u8, + 49u8, 28u8, 48u8, 26u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 19u8, 67u8, 97u8, 108u8, 105u8, + 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, 120u8, 32u8, 76u8, 68u8, 101u8, 118u8, 73u8, + 68u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, - 34u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 108u8, 49u8, 31u8, 48u8, 29u8, 6u8, 3u8, 85u8, 4u8, - 3u8, 12u8, 22u8, 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, - 48u8, 32u8, 70u8, 77u8, 67u8, 32u8, 65u8, 108u8, 105u8, 97u8, 115u8, 49u8, 73u8, 48u8, - 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 48u8, 34u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 108u8, 49u8, 31u8, 48u8, 29u8, 6u8, 3u8, 85u8, + 4u8, 3u8, 12u8, 22u8, 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, + 46u8, 120u8, 32u8, 70u8, 77u8, 67u8, 32u8, 65u8, 108u8, 105u8, 97u8, 115u8, 49u8, 73u8, + 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 118u8, 48u8, 16u8, - 6u8, 7u8, 42u8, 134u8, 72u8, 206u8, 61u8, 2u8, 1u8, 6u8, 5u8, 43u8, 129u8, 4u8, 0u8, 34u8, - 3u8, 98u8, 0u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 118u8, 48u8, + 16u8, 6u8, 7u8, 42u8, 134u8, 72u8, 206u8, 61u8, 2u8, 1u8, 6u8, 5u8, 43u8, 129u8, 4u8, 0u8, + 34u8, 3u8, 98u8, 0u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 163u8, 130u8, 1u8, 110u8, 48u8, - 130u8, 1u8, 106u8, 48u8, 18u8, 6u8, 3u8, 85u8, 29u8, 19u8, 1u8, 1u8, 255u8, 4u8, 8u8, 48u8, - 6u8, 1u8, 1u8, 255u8, 2u8, 1u8, 3u8, 48u8, 14u8, 6u8, 3u8, 85u8, 29u8, 15u8, 1u8, 1u8, - 255u8, 4u8, 4u8, 3u8, 2u8, 2u8, 4u8, 48u8, 31u8, 6u8, 6u8, 103u8, 129u8, 5u8, 5u8, 4u8, - 4u8, 4u8, 21u8, 48u8, 19u8, 4u8, 17u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 129u8, 226u8, 6u8, 6u8, 103u8, - 129u8, 5u8, 5u8, 4u8, 5u8, 4u8, 129u8, 215u8, 48u8, 129u8, 212u8, 48u8, 114u8, 128u8, 8u8, - 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, 97u8, 129u8, 6u8, 68u8, 101u8, 118u8, 105u8, - 99u8, 101u8, 131u8, 2u8, 1u8, 95u8, 166u8, 63u8, 48u8, 61u8, 6u8, 9u8, 96u8, 134u8, 72u8, - 1u8, 101u8, 3u8, 4u8, 2u8, 2u8, 4u8, 48u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 163u8, 130u8, 1u8, 77u8, + 48u8, 130u8, 1u8, 73u8, 48u8, 18u8, 6u8, 3u8, 85u8, 29u8, 19u8, 1u8, 1u8, 255u8, 4u8, 8u8, + 48u8, 6u8, 1u8, 1u8, 255u8, 2u8, 1u8, 3u8, 48u8, 14u8, 6u8, 3u8, 85u8, 29u8, 15u8, 1u8, + 1u8, 255u8, 4u8, 4u8, 3u8, 2u8, 2u8, 4u8, 48u8, 31u8, 6u8, 6u8, 103u8, 129u8, 5u8, 5u8, + 4u8, 4u8, 4u8, 21u8, 48u8, 19u8, 4u8, 17u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 129u8, 193u8, 6u8, 6u8, 103u8, + 129u8, 5u8, 5u8, 4u8, 5u8, 4u8, 129u8, 182u8, 48u8, 129u8, 179u8, 48u8, 96u8, 131u8, 2u8, + 1u8, 95u8, 166u8, 63u8, 48u8, 61u8, 6u8, 9u8, 96u8, 134u8, 72u8, 1u8, 101u8, 3u8, 4u8, 2u8, + 2u8, 4u8, 48u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 135u8, 5u8, 0u8, 95u8, 95u8, - 95u8, 95u8, 137u8, 11u8, 68u8, 69u8, 86u8, 73u8, 67u8, 69u8, 95u8, 73u8, 78u8, 70u8, 79u8, - 138u8, 5u8, 0u8, 128u8, 0u8, 0u8, 11u8, 48u8, 94u8, 128u8, 8u8, 67u8, 97u8, 108u8, 105u8, - 112u8, 116u8, 114u8, 97u8, 129u8, 3u8, 70u8, 77u8, 67u8, 131u8, 2u8, 1u8, 95u8, 166u8, - 63u8, 48u8, 61u8, 6u8, 9u8, 96u8, 134u8, 72u8, 1u8, 101u8, 3u8, 4u8, 2u8, 2u8, 4u8, 48u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 135u8, 5u8, 0u8, 95u8, 95u8, 95u8, 95u8, 137u8, 11u8, + 68u8, 69u8, 86u8, 73u8, 67u8, 69u8, 95u8, 73u8, 78u8, 70u8, 79u8, 138u8, 5u8, 0u8, 208u8, + 0u8, 0u8, 1u8, 48u8, 79u8, 131u8, 2u8, 1u8, 95u8, 166u8, 63u8, 48u8, 61u8, 6u8, 9u8, 96u8, + 134u8, 72u8, 1u8, 101u8, 3u8, 4u8, 2u8, 2u8, 4u8, 48u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 137u8, 8u8, 70u8, 77u8, 67u8, 95u8, 73u8, 78u8, 70u8, 79u8, 48u8, 29u8, - 6u8, 3u8, 85u8, 29u8, 14u8, 4u8, 22u8, 4u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 31u8, - 6u8, 3u8, 85u8, 29u8, 35u8, 4u8, 24u8, 48u8, 22u8, 128u8, 20u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 137u8, 8u8, 70u8, + 77u8, 67u8, 95u8, 73u8, 78u8, 70u8, 79u8, 48u8, 29u8, 6u8, 3u8, 85u8, 29u8, 14u8, 4u8, + 22u8, 4u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 31u8, 6u8, 3u8, 85u8, 29u8, 35u8, + 4u8, 24u8, 48u8, 22u8, 128u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, ]; pub fn new(params: &FmcAliasCertTbsParams) -> Self { let mut template = Self { @@ -146,7 +143,7 @@ impl FmcAliasCertTbs { fn apply(&mut self, params: &FmcAliasCertTbsParams) { #[inline(always)] fn apply_slice( - buf: &mut [u8; 786usize], + buf: &mut [u8; 753usize], val: &[u8; LEN], ) { buf[OFFSET..OFFSET + LEN].copy_from_slice(val); diff --git a/x509/build/init_dev_id_csr_tbs.rs b/x509/build/init_dev_id_csr_tbs.rs index c989be7267..e4139c01ad 100644 --- a/x509/build/init_dev_id_csr_tbs.rs +++ b/x509/build/init_dev_id_csr_tbs.rs @@ -31,7 +31,7 @@ impl InitDevIdCsrTbs { const TBS_TEMPLATE: [u8; Self::TBS_TEMPLATE_LEN] = [ 48u8, 130u8, 1u8, 62u8, 2u8, 1u8, 0u8, 48u8, 105u8, 49u8, 28u8, 48u8, 26u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 19u8, 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, - 46u8, 48u8, 32u8, 73u8, 68u8, 101u8, 118u8, 73u8, 68u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, + 46u8, 120u8, 32u8, 73u8, 68u8, 101u8, 118u8, 73u8, 68u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, diff --git a/x509/build/local_dev_id_cert_tbs.rs b/x509/build/local_dev_id_cert_tbs.rs index adb180a84c..b9b0fcdf77 100644 --- a/x509/build/local_dev_id_cert_tbs.rs +++ b/x509/build/local_dev_id_cert_tbs.rs @@ -57,7 +57,7 @@ impl LocalDevIdCertTbs { 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 10u8, 6u8, 8u8, 42u8, 134u8, 72u8, 206u8, 61u8, 4u8, 3u8, 3u8, 48u8, 105u8, 49u8, 28u8, 48u8, 26u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 19u8, 67u8, 97u8, 108u8, 105u8, 112u8, - 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, 48u8, 32u8, 73u8, 68u8, 101u8, 118u8, 73u8, 68u8, + 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, 120u8, 32u8, 73u8, 68u8, 101u8, 118u8, 73u8, 68u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, @@ -67,7 +67,7 @@ impl LocalDevIdCertTbs { 95u8, 95u8, 95u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 105u8, 49u8, 28u8, 48u8, 26u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 19u8, 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, - 48u8, 32u8, 76u8, 68u8, 101u8, 118u8, 73u8, 68u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, + 120u8, 32u8, 76u8, 68u8, 101u8, 118u8, 73u8, 68u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, diff --git a/x509/build/rt_alias_cert_tbs.rs b/x509/build/rt_alias_cert_tbs.rs index 5b59b9d184..213ea9aefd 100644 --- a/x509/build/rt_alias_cert_tbs.rs +++ b/x509/build/rt_alias_cert_tbs.rs @@ -40,14 +40,14 @@ impl RtAliasCertTbs { const PUBLIC_KEY_OFFSET: usize = 321usize; const SUBJECT_SN_OFFSET: usize = 234usize; const ISSUER_SN_OFFSET: usize = 89usize; - const TCB_INFO_RT_TCI_OFFSET: usize = 542usize; + const TCB_INFO_RT_TCI_OFFSET: usize = 528usize; const SERIAL_NUMBER_OFFSET: usize = 11usize; - const SUBJECT_KEY_ID_OFFSET: usize = 601usize; - const AUTHORITY_KEY_ID_OFFSET: usize = 634usize; + const SUBJECT_KEY_ID_OFFSET: usize = 587usize; + const AUTHORITY_KEY_ID_OFFSET: usize = 620usize; const UEID_OFFSET: usize = 476usize; const NOT_BEFORE_OFFSET: usize = 157usize; const NOT_AFTER_OFFSET: usize = 174usize; - const TCB_INFO_RT_SVN_OFFSET: usize = 524usize; + const TCB_INFO_RT_SVN_OFFSET: usize = 510usize; const PUBLIC_KEY_LEN: usize = 97usize; const SUBJECT_SN_LEN: usize = 64usize; const ISSUER_SN_LEN: usize = 64usize; @@ -59,13 +59,13 @@ impl RtAliasCertTbs { const NOT_BEFORE_LEN: usize = 15usize; const NOT_AFTER_LEN: usize = 15usize; const TCB_INFO_RT_SVN_LEN: usize = 1usize; - pub const TBS_TEMPLATE_LEN: usize = 654usize; + pub const TBS_TEMPLATE_LEN: usize = 640usize; const TBS_TEMPLATE: [u8; Self::TBS_TEMPLATE_LEN] = [ - 48u8, 130u8, 2u8, 138u8, 160u8, 3u8, 2u8, 1u8, 2u8, 2u8, 20u8, 95u8, 95u8, 95u8, 95u8, + 48u8, 130u8, 2u8, 124u8, 160u8, 3u8, 2u8, 1u8, 2u8, 2u8, 20u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 10u8, 6u8, 8u8, 42u8, 134u8, 72u8, 206u8, 61u8, 4u8, 3u8, 3u8, 48u8, 108u8, 49u8, 31u8, 48u8, 29u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 22u8, 67u8, 97u8, 108u8, 105u8, - 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, 48u8, 32u8, 70u8, 77u8, 67u8, 32u8, 65u8, + 112u8, 116u8, 114u8, 97u8, 32u8, 49u8, 46u8, 120u8, 32u8, 70u8, 77u8, 67u8, 32u8, 65u8, 108u8, 105u8, 97u8, 115u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, @@ -75,7 +75,7 @@ impl RtAliasCertTbs { 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 24u8, 15u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 107u8, 49u8, 30u8, 48u8, 28u8, 6u8, 3u8, 85u8, 4u8, 3u8, 12u8, 21u8, 67u8, 97u8, 108u8, 105u8, 112u8, 116u8, 114u8, - 97u8, 32u8, 49u8, 46u8, 48u8, 32u8, 82u8, 116u8, 32u8, 65u8, 108u8, 105u8, 97u8, 115u8, + 97u8, 32u8, 49u8, 46u8, 120u8, 32u8, 82u8, 116u8, 32u8, 65u8, 108u8, 105u8, 97u8, 115u8, 49u8, 73u8, 48u8, 71u8, 6u8, 3u8, 85u8, 4u8, 5u8, 19u8, 64u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, @@ -89,13 +89,12 @@ impl RtAliasCertTbs { 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 163u8, - 129u8, 233u8, 48u8, 129u8, 230u8, 48u8, 18u8, 6u8, 3u8, 85u8, 29u8, 19u8, 1u8, 1u8, 255u8, + 129u8, 219u8, 48u8, 129u8, 216u8, 48u8, 18u8, 6u8, 3u8, 85u8, 29u8, 19u8, 1u8, 1u8, 255u8, 4u8, 8u8, 48u8, 6u8, 1u8, 1u8, 255u8, 2u8, 1u8, 2u8, 48u8, 14u8, 6u8, 3u8, 85u8, 29u8, 15u8, 1u8, 1u8, 255u8, 4u8, 4u8, 3u8, 2u8, 2u8, 132u8, 48u8, 31u8, 6u8, 6u8, 103u8, 129u8, 5u8, 5u8, 4u8, 4u8, 4u8, 21u8, 48u8, 19u8, 4u8, 17u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, - 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 95u8, 6u8, 6u8, - 103u8, 129u8, 5u8, 5u8, 4u8, 1u8, 4u8, 85u8, 48u8, 83u8, 128u8, 8u8, 67u8, 97u8, 108u8, - 105u8, 112u8, 116u8, 114u8, 97u8, 129u8, 2u8, 82u8, 84u8, 131u8, 2u8, 1u8, 95u8, 166u8, + 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 48u8, 81u8, 6u8, 6u8, + 103u8, 129u8, 5u8, 5u8, 4u8, 1u8, 4u8, 71u8, 48u8, 69u8, 131u8, 2u8, 1u8, 95u8, 166u8, 63u8, 48u8, 61u8, 6u8, 9u8, 96u8, 134u8, 72u8, 1u8, 101u8, 3u8, 4u8, 2u8, 2u8, 4u8, 48u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, 95u8, @@ -125,7 +124,7 @@ impl RtAliasCertTbs { fn apply(&mut self, params: &RtAliasCertTbsParams) { #[inline(always)] fn apply_slice( - buf: &mut [u8; 654usize], + buf: &mut [u8; 640usize], val: &[u8; LEN], ) { buf[OFFSET..OFFSET + LEN].copy_from_slice(val); diff --git a/x509/build/x509.rs b/x509/build/x509.rs index 71385942be..b75501a7aa 100644 --- a/x509/build/x509.rs +++ b/x509/build/x509.rs @@ -316,12 +316,12 @@ pub fn make_fmc_dice_tcb_info_ext( let wide_svn_fuses = fixed_width_svn(svn_fuses); let be_flags = flags.to_be_bytes(); - let be_flags_mask = FLAG_MASK.to_be_bytes(); + let be_flags_mask = FLAG_MASK.reverse_bits().to_be_bytes(); let device_asn1_fwids: Vec<&Fwid> = device_fwids.iter().map(|f| &f.fwid).collect(); let device_info = TcbInfo { - vendor: Some(asn1::Utf8String::new("Caliptra")), - model: Some(asn1::Utf8String::new("Device")), + vendor: None, + model: None, version: None, svn: Some(wide_svn_fuses.into()), layer: None, @@ -335,8 +335,8 @@ pub fn make_fmc_dice_tcb_info_ext( let fmc_asn1_fwids: Vec<&Fwid> = fmc_fwids.iter().map(|f| &f.fwid).collect(); let fmc_info = TcbInfo { - vendor: Some(asn1::Utf8String::new("Caliptra")), - model: Some(asn1::Utf8String::new("FMC")), + vendor: None, + model: None, version: None, svn: Some(wide_svn.into()), layer: None, @@ -362,8 +362,8 @@ pub fn make_rt_dice_tcb_info_ext(svn: u8, fwids: &[FwidParam]) -> X509Extension let asn1_fwids: Vec<&Fwid> = fwids.iter().map(|f| &f.fwid).collect(); let rt_info = TcbInfo { - vendor: Some(asn1::Utf8String::new("Caliptra")), - model: Some(asn1::Utf8String::new("RT")), + vendor: None, + model: None, version: None, svn: Some(wide_svn.into()), layer: None, @@ -421,6 +421,16 @@ pub fn get_tbs(der: Vec) -> Vec { pub fn init_param(needle: &[u8], haystack: &[u8], param: TbsParam) -> TbsParam { assert_eq!(needle.len(), param.len); eprintln!("{}", param.name); + // Throw an error if there are multiple instances of our "needle" + // This could lead to incorrect offsets in the cert template + if haystack.windows(param.len).filter(|w| *w == needle).count() > 1 { + panic!( + "Multiple instances of needle '{}' with value\n\n{}\n\nin haystack\n\n{}", + param.name, + needle.encode_hex::(), + haystack.encode_hex::() + ); + } let pos = haystack.windows(param.len).position(|w| w == needle); match pos {