ibmse: use optional root_ca when launch kbs

attestation-service/verifier/src/se/README.md

@@ -11,19 +11,17 @@ openssl rsa -in encrypt_key-psw.pem -out encrypt_key.pem
 ```
 
 
-## Download Certs, CRLs, Root CA
+## Download Certs, CRLs
 Donwload these materials from: https://www.ibm.com/support/resourcelink/api/content/public/secure-execution-gen2.html
 Which includes:
 
 ### Certs
 ibm-z-host-key-signing-gen2.crt
+DigiCertCA.crt 
 
 ### CRL
 ibm-z-host-key-gen2.crl
 
-### Root CA
-DigiCertCA.crt 
-
 ## Download HKD
 Download IBM Secure Execution Host Key Document following: https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document
 
@@ -42,26 +40,26 @@ openssl genpkey -algorithm ed25519 > kbs.key
 openssl pkey -in kbs.key -pubout -out kbs.pem
 ```
 
-## Build KBS
+## (Option 1) Launch KBS as a program
+
+- Build KBS
 ```
 cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa 
 ```
 
-## (Option 1) Launch KBS as a program
-
 - Prepare the material retrieved above, similar as:
 ```
 /run/confidential-containers/ibmse#
 .
-├── DigiCertCA.crt
 ├── certs
-│   └── ibm-z-host-key-signing-gen2.crt
+│   ├── ibm-z-host-key-signing-gen2.crt
+|   └── DigiCertCA.crt
 ├── crls
-│   └── ibm-z-host-key-gen2.crl
+│   └── ibm-z-host-key-gen2.crl
 ├── hdr
-│   └── hdr.bin
+│   └── hdr.bin
 ├── hkds
-│   └── HKD-3931-0275D38.crt
+│   └── HKD-3931-0275D38.crt
 └── rsa
     ├── encrypt_key.pem
     └── encrypt_key.pub

attestation-service/verifier/src/se/ibmse.rs

@@ -21,11 +21,13 @@ use serde::{Deserialize, Serialize};
 use serde_with::{base64::Base64, hex::Hex, serde_as};
 use std::{env, fs};
 
+const DEFAULT_CERTS_OFFLINE_VERIFICATION: &str = "false";
+
 const DEFAULT_SE_HOST_KEY_DOCUMENTS_ROOT: &str = "/run/confidential-containers/ibmse/hkds";
 
 const DEFAULT_SE_CERTIFICATES_ROOT: &str = "/run/confidential-containers/ibmse/certs";
 
-const DEFAULT_SE_CERTIFICATE_ROOT_CA: &str = "/run/confidential-containers/ibmse/DigiCertCA.crt";
+const DEFAULT_SE_CERTIFICATE_ROOT_CA: &str = "/run/confidential-containers/ibmse/root_ca.crt";
 
 const DEFAULT_SE_CERTIFICATE_REVOCATION_LISTS_ROOT: &str =
     "/run/confidential-containers/ibmse/crls";
@@ -239,6 +241,16 @@ impl SeVerifierImpl {
 
         let root_ca_path =
             env_or_default!("SE_CERTIFICATE_ROOT_CA", DEFAULT_SE_CERTIFICATE_ROOT_CA);
+        let ca_option: Option<String> = if std::path::Path::new(&root_ca_path).exists() {
+            Some(root_ca_path)
+        } else {
+            None::<String>
+        };
+        let offline_certs_verify = env_or_default!(
+            "CERTS_OFFLINE_VERIFICATION",
+            DEFAULT_CERTS_OFFLINE_VERIFICATION
+        );
+        let offline_certs_verify: bool = offline_certs_verify.parse::<bool>().unwrap_or(false);
         let mut attestation_flags = AttestationFlags::default();
         attestation_flags.set_image_phkh();
         attestation_flags.set_attest_phkh();
@@ -274,13 +286,13 @@ impl SeVerifierImpl {
                 );
                 let skip_certs: bool = skip_certs_env.parse::<bool>().unwrap_or(false);
                 if !skip_certs {
-                    let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?;
+                    let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), ca_option.clone(), offline_certs_verify)?;
                     verifier.verify(c)?;
                 }
             }
             #[cfg(not(debug_assertions))]
             {
-                let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?;
+                let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), ca_option.clone(), offline_certs_verify)?;
                 verifier.verify(c)?;
             }
             arcb.add_hostkey(c.public_key()?);