libsdpm - VerifyCertificateChainBuffer - FAIL (leaf certificate check failed)

[venkyn2]

Hi Team,

I am trying to fetch the certificate, but libspdm says the leaf certificate failed. The app in development fetches the certificate, the call goes through, however, i get an error saying "VerifyCertificateChainBuffer - FAIL (leaf certificate check failed)!!" but i dumped the data to file and we see there is a CA certificate.

What is expected? Should I expect the leaf certificate to be present? Any suggestions will be much appreciated. Should i

!!! VerifyCertificateChainBuffer - FAIL (leaf certificate check failed)!!!
libspdm_get_certificate(slot=0) rc=0x80020001 size=3736

openssl x509 -inform DER -in /tmp/spdm_sl*.der -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=US, ST=California, O=Broadcom, OU=ECD, CN=Broadcom Emulex Root CA-DCSG01300295
HBA-DCSG01300296
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
HBA-DCSG01300296
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey

Regards,
Venky

[steven-bellock]

openssl x509 -inform DER -in /tmp/spdm_sl*.der -noout -text

will only print the first certificate in the chain.

openssl storeutl -noout -text -certs certificate_chain.der

will print the entire certificate chain.

[steven-bellock]

@venkyn2 using scratch buffer for certificate processing is a future improvement. @lordaule recommended increasing the value of LIBSPDM_MAX_EXTENSION_LEN.

[venkyn2]

#define LIBSPDM_MAX_EXTENSION_LEN 50

• Forgot to mention earlier, I had increased it to 50bytes. Should I increase further?

[steven-bellock]

Sure, make it 1000. But if that does not work then maybe @bhenning10 and/or @jcahill0 can help. They work at Broadcom and use libspdm.

[shripadn1980]

BRCM ECD Leaf certs had 2 issues.
In our Leaf Cert, we had set CA=FALSE explicitly, even though False is the default value.
According X690 spec section 11.5, if the value set is the default value, it should not be encoded.

The other issue was with the encoding of the SPDM extension DMTF-SPDM Object Id: 1.3.6.1.4.1.412.274.5
We had encoded this as a SEQUENCE. It should be encoded as SEQUENCE of SEQUENCE.
// SEQUENCE {
   // SEQUENCE {
   // OBJECT IDENTIFIER 1.3.6.1.4.1.412.274.5
   // }
// }

We have fixed both issues in FW. I am not sure which FW version is being used. Please retry with the latest FW.

/Shripad

[steven-bellock]

In our Leaf Cert, we had set CA=FALSE explicitly, even though False is the default value.
According X690 spec section 11.5, if the value set is the default value, it should not be encoded.

X690 says it is possible, but does not recommend one way or the other. I always prefer explicitness. But either way, libspdm supposedly accommodates both encodings.

Ah yes, DER requires that default sequence values not be present. This is being discussed in https://github.com/DMTF/SPDM-WG/issues/4416 in the context of SPDM 1.3.

[steven-bellock]

@venkyn2 were you able to get the new firmware and pass certificate chain validation?

[venkyn2]

The new firmware indeed resolved the certificate issue. Thanks for the support @steven-bellock