Add ignore unhandle critical extension check flag

Fix the issue: #2678 The default cert check doesn't have the flag. The user can use the following build commad to add the flag. cmake -G"NMake Makefiles" -DARCH=x64 -DTOOLCHAIN=VS2019 -DTARGET=Release -DCRYPTO=openssl -DX509_IGNORE_CRITICAL=ON .. cmake -G"NMake Makefiles" -DARCH=x64 -DTOOLCHAIN=VS2019 -DTARGET=Release -DCRYPTO=mbedtls -DX509_IGNORE_CRITICAL=ON .. Signed-off-by: Wenxing Hou <[email protected]>
DMTF · May 7, 2024 · 20640c8 · 20640c8
1 parent ee8ab31
commit 20640c8
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -19,6 +19,7 @@ SET(CRYPTO ${CRYPTO} CACHE STRING "Choose the crypto of build: mbedtls openssl"
 SET(GCOV ${GCOV} CACHE STRING "Choose the target of Gcov: ON  OFF, and default is OFF" FORCE)
 SET(STACK_USAGE ${STACK_USAGE} CACHE STRING "Choose the target of STACK_USAGE: ON  OFF, and default is OFF" FORCE)
 SET(BUILD_LINUX_SHARED_LIB ${BUILD_LINUX_SHARED_LIB} CACHE STRING "Choose if libspdm shared library should be built for linux: ON OFF, and default is OFF" FORCE)
+SET(X509_IGNORE_CRITICAL ${X509_IGNORE_CRITICAL} CACHE STRING "Choose if libspdm-provided cryptography libraries (OpenSSL and MbedTLS) ignore unsupported critical extensions in certificates : ON OFF, and default is OFF" FORCE)
 
 if(NOT GCOV)
     SET(GCOV "OFF")
@@ -32,6 +33,10 @@ if(NOT BUILD_LINUX_SHARED_LIB)
     SET(BUILD_LINUX_SHARED_LIB "OFF")
 endif()
 
+if(NOT X509_IGNORE_CRITICAL)
+    SET(X509_IGNORE_CRITICAL "OFF")
+endif()
+
 SET(LIBSPDM_DIR ${PROJECT_SOURCE_DIR})
 
 #
@@ -164,6 +169,14 @@ else()
     MESSAGE(FATAL_ERROR "Unknown CRYPTO")
 endif()
 
+if (X509_IGNORE_CRITICAL STREQUAL "ON")
+    if (CRYPTO STREQUAL "openssl")
+        add_definitions(-DOPENSSL_IGNORE_CRITICAL=1)
+    else()
+        add_definitions(-DMBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+    endif()
+endif()
+
 if(ENABLE_BINARY_BUILD STREQUAL "1")
     if(NOT CRYPTO STREQUAL "openssl")
         MESSAGE(FATAL_ERROR "enabling binary build not supported for non-openssl")

diff --git a/os_stub/cryptlib_openssl/pk/x509.c b/os_stub/cryptlib_openssl/pk/x509.c
@@ -1873,17 +1873,20 @@ bool libspdm_x509_verify_cert(const uint8_t *cert, size_t cert_size,
         goto done;
     }
 
-
     /* Allow partial certificate chains, terminated by a non-self-signed but
      * still trusted intermediate certificate.
      */
 
     X509_STORE_set_flags(cert_store, X509_V_FLAG_PARTIAL_CHAIN);
+
+#if OPENSSL_IGNORE_CRITICAL
+    X509_STORE_set_flags(cert_store, X509_V_FLAG_IGNORE_CRITICAL);
+#endif
+
 #ifndef OPENSSL_CHECK_TIME
     X509_STORE_set_flags(cert_store, X509_V_FLAG_NO_CHECK_TIME);
 #endif
 
-
     /* Set up X509_STORE_CTX for the subsequent verification operation.*/
 
     cert_ctx = X509_STORE_CTX_new();

diff --git a/unit_test/test_spdm_callback/spdm_cert_verify_callback.c b/unit_test/test_spdm_callback/spdm_cert_verify_callback.c
@@ -265,6 +265,7 @@ bool libspdm_verify_spdm_cert_chain_with_dice(void *spdm_context, uint8_t slot_i
                 if (cert_dice_tcb_info_size == 0) {
                     return false;
                 }
+                number_dice_tcb_info++;
             } else {
                 if (cert_dice_tcb_info_size != 0) {
                     cert_chain_have_matched_dice = true;