Refactor certificate generation code in CertifyKey #373

clundin25 · 2025-01-13T21:44:07Z

Refactor certificate generation code in CertifyKey to common code so it can be used in DeriveContext.

crypto/src/lib.rs

crypto/src/openssl.rs

dpe/src/commands/certify_key.rs

dpe/src/x509.rs

jhand2 · 2025-01-14T00:21:08Z

dpe/src/x509.rs

+        CertificateType::Exported => {
+            let cdi = env
+                .crypto
+                .derive_exported_cdi(algs, &digest, args.cdi_label)?;


nit: I wonder if the key derivation code should stay in the CertifyKey command implementation. Since it's not really related to X.509.

I agree but I could not think of a way to do it.

Since they are an associated type of DpeEnv<impl DpeTypes> I don't think there is a type that we can use in the function signature.

Any ideas?

The CDI is an associated type, but the key pair derivation functions return a raw public key that we can just pass into this function, right?

I think the private key is still needed for the exported certificate since it's self signed.

This has made me realized that when I refactored the code, I deleted this portion!

As discussed offlne, the cert should still be signed by the alias key

…it can be used in DeriveContext.

jhand2 · 2025-01-15T21:28:53Z

dpe/src/x509.rs

+    pub cdi_label: &'a [u8],
+    pub key_label: &'a [u8],
+    pub context: &'a [u8],


nit: Can you comment where each of these are used in derivation? Mainly that context is used for both (I think)

clundin25 marked this pull request as ready for review January 13, 2025 21:44

clundin25 commented Jan 13, 2025

View reviewed changes

crypto/src/lib.rs Outdated Show resolved Hide resolved

clundin25 requested a review from jhand2 January 13, 2025 21:45

clundin25 force-pushed the refactor-x509 branch from 8b484b1 to f2b4f4c Compare January 13, 2025 21:59