Accomodate pathLen when checking certificate

Fix #2831. Signed-off-by: Steven Bellock <sbellock@nvidia.com>
DMTF · Sep 30, 2024 · cbff9e5 · cbff9e5
1 parent 525ba87
commit cbff9e5
Showing 1 changed file with 16 additions and 10 deletions.
diff --git a/library/spdm_crypt_lib/libspdm_crypt_cert.c b/library/spdm_crypt_lib/libspdm_crypt_cert.c
@@ -813,13 +813,13 @@ static bool libspdm_verify_set_cert_leaf_cert_basic_constraints(
     const uint8_t *cert, size_t cert_size, uint8_t cert_model, bool need_basic_constraints)
 {
     bool status;
-    /* basic_constraints from certificate. */
-    uint8_t cert_basic_constraints[LIBSPDM_MAX_BASIC_CONSTRAINTS_CA_LEN];
+    /* basic_constraints from certificate. Add space for pathLen. */
+    uint8_t cert_basic_constraints[LIBSPDM_MAX_BASIC_CONSTRAINTS_CA_LEN + 10];
     size_t len;
 
-    uint8_t basic_constraints_false_case1[] = BASIC_CONSTRAINTS_STRING_FALSE_CASE1;
-    uint8_t basic_constraints_false_case2[] = BASIC_CONSTRAINTS_STRING_FALSE_CASE2;
-    uint8_t basic_constraints_true_case[] = BASIC_CONSTRAINTS_STRING_TRUE_CASE;
+    const uint8_t basic_constraints_false_case1[] = BASIC_CONSTRAINTS_STRING_FALSE_CASE1;
+    const uint8_t basic_constraints_false_case2[] = BASIC_CONSTRAINTS_STRING_FALSE_CASE2;
+    const uint8_t basic_constraints_true_case[] = BASIC_CONSTRAINTS_STRING_TRUE_CASE;
 
     len = LIBSPDM_MAX_BASIC_CONSTRAINTS_CA_LEN;
 
@@ -851,11 +851,17 @@ static bool libspdm_verify_set_cert_leaf_cert_basic_constraints(
     } else {
         /* Alias certificate model. */
         if (need_basic_constraints || (len != 0)) {
-            if ((len == sizeof(basic_constraints_true_case)) &&
-                (libspdm_consttime_is_mem_equal(cert_basic_constraints,
-                                                basic_constraints_true_case,
-                                                sizeof(basic_constraints_true_case)))) {
-                return true;
+            /* basicConstraints may include the pathLen field. Therefore do not check sequence
+             * length. */
+            if (len >= sizeof(basic_constraints_true_case)) {
+                if (cert_basic_constraints[0] != basic_constraints_true_case[0]) {
+                    return false;
+                }
+                if  (libspdm_consttime_is_mem_equal(&cert_basic_constraints[2],
+                                                    &basic_constraints_true_case[2],
+                                                    sizeof(basic_constraints_true_case) - 2)) {
+                    return true;
+                }
             }
         }
     }