diff --git a/library/spdm_crypt_lib/libspdm_crypt_cert.c b/library/spdm_crypt_lib/libspdm_crypt_cert.c index d439b95edbc..dcb3fa91e8d 100644 --- a/library/spdm_crypt_lib/libspdm_crypt_cert.c +++ b/library/spdm_crypt_lib/libspdm_crypt_cert.c @@ -813,13 +813,13 @@ static bool libspdm_verify_set_cert_leaf_cert_basic_constraints( const uint8_t *cert, size_t cert_size, uint8_t cert_model, bool need_basic_constraints) { bool status; - /* basic_constraints from certificate. */ - uint8_t cert_basic_constraints[LIBSPDM_MAX_BASIC_CONSTRAINTS_CA_LEN]; + /* basic_constraints from certificate. Add space for pathLen. */ + uint8_t cert_basic_constraints[LIBSPDM_MAX_BASIC_CONSTRAINTS_CA_LEN + 10]; size_t len; - uint8_t basic_constraints_false_case1[] = BASIC_CONSTRAINTS_STRING_FALSE_CASE1; - uint8_t basic_constraints_false_case2[] = BASIC_CONSTRAINTS_STRING_FALSE_CASE2; - uint8_t basic_constraints_true_case[] = BASIC_CONSTRAINTS_STRING_TRUE_CASE; + const uint8_t basic_constraints_false_case1[] = BASIC_CONSTRAINTS_STRING_FALSE_CASE1; + const uint8_t basic_constraints_false_case2[] = BASIC_CONSTRAINTS_STRING_FALSE_CASE2; + const uint8_t basic_constraints_true_case[] = BASIC_CONSTRAINTS_STRING_TRUE_CASE; len = LIBSPDM_MAX_BASIC_CONSTRAINTS_CA_LEN; @@ -851,11 +851,17 @@ static bool libspdm_verify_set_cert_leaf_cert_basic_constraints( } else { /* Alias certificate model. */ if (need_basic_constraints || (len != 0)) { - if ((len == sizeof(basic_constraints_true_case)) && - (libspdm_consttime_is_mem_equal(cert_basic_constraints, - basic_constraints_true_case, - sizeof(basic_constraints_true_case)))) { - return true; + /* basicConstraints may include the pathLen field. Therefore do not check sequence + * length. */ + if (len >= sizeof(basic_constraints_true_case)) { + if (cert_basic_constraints[0] != basic_constraints_true_case[0]) { + return false; + } + if (libspdm_consttime_is_mem_equal(&cert_basic_constraints[2], + &basic_constraints_true_case[2], + sizeof(basic_constraints_true_case) - 2)) { + return true; + } } } }