ibmse: use optional root_ca when launch kbs

- Make root_ca optional - Check certs offline by default - Corrected the doc Signed-off-by: Qi Feng Huo <[email protected]>
confidential-containers · Jun 21, 2024 · c5d94d0 · c5d94d0
1 parent 8d26472
commit c5d94d0
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/attestation-service/verifier/src/se/README.md b/attestation-service/verifier/src/se/README.md
@@ -42,26 +42,26 @@ openssl genpkey -algorithm ed25519 > kbs.key
 openssl pkey -in kbs.key -pubout -out kbs.pem
 ```
 
-## Build KBS
+## (Option 1) Launch KBS as a program
+
+- Build KBS
 ```
 cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa 
 ```
 
-## (Option 1) Launch KBS as a program
-
 - Prepare the material retrieved above, similar as:
 ```
 /run/confidential-containers/ibmse#
 .
-├── DigiCertCA.crt
 ├── certs
-│   └── ibm-z-host-key-signing-gen2.crt
+│   ├── ibm-z-host-key-signing-gen2.crt
+|   └── DigiCertCA.crt
 ├── crls
-│   └── ibm-z-host-key-gen2.crl
+│   └── ibm-z-host-key-gen2.crl
 ├── hdr
-│   └── hdr.bin
+│   └── hdr.bin
 ├── hkds
-│   └── HKD-3931-0275D38.crt
+│   └── HKD-3931-0275D38.crt
 └── rsa
     ├── encrypt_key.pem
     └── encrypt_key.pub

diff --git a/attestation-service/verifier/src/se/ibmse.rs b/attestation-service/verifier/src/se/ibmse.rs
@@ -25,7 +25,7 @@ const DEFAULT_SE_HOST_KEY_DOCUMENTS_ROOT: &str = "/run/confidential-containers/i
 
 const DEFAULT_SE_CERTIFICATES_ROOT: &str = "/run/confidential-containers/ibmse/certs";
 
-const DEFAULT_SE_CERTIFICATE_ROOT_CA: &str = "/run/confidential-containers/ibmse/DigiCertCA.crt";
+const DEFAULT_SE_CERTIFICATE_ROOT_CA: &str = "/run/confidential-containers/ibmse/root_ca.crt";
 
 const DEFAULT_SE_CERTIFICATE_REVOCATION_LISTS_ROOT: &str =
     "/run/confidential-containers/ibmse/crls";
@@ -239,6 +239,12 @@ impl SeVerifierImpl {
 
         let root_ca_path =
             env_or_default!("SE_CERTIFICATE_ROOT_CA", DEFAULT_SE_CERTIFICATE_ROOT_CA);
+        let ca_option: Option<String>;
+        if std::path::Path::new(&root_ca_path).exists() {
+            ca_option = Some(String::from(root_ca_path));
+        } else {
+            ca_option = None::<String>;
+        }
         let mut attestation_flags = AttestationFlags::default();
         attestation_flags.set_image_phkh();
         attestation_flags.set_attest_phkh();
@@ -274,13 +280,13 @@ impl SeVerifierImpl {
                 );
                 let skip_certs: bool = skip_certs_env.parse::<bool>().unwrap_or(false);
                 if !skip_certs {
-                    let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?;
+                    let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), ca_option.clone(), true)?;
                     verifier.verify(c)?;
                 }
             }
             #[cfg(not(debug_assertions))]
             {
-                let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?;
+                let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), ca_option.clone(), true)?;
                 verifier.verify(c)?;
             }
             arcb.add_hostkey(c.public_key()?);